1st Bug Bounty WriteUp: Open Redirect To XSS on Login Page

Hello hackers Hope you are doing well, My name is Nassim, i’m a bug bounty hunter, started a few months, i was discover many vulnerabilities, and now i want to share interesting bug i found and how escalate from open redirect to reflected xss.

So let’s start, i was get invitation from private web application program let’s called redacted.net with 80 asset in scope, and i go check it one by one, i saw an interesting subdomain has email input :

I start hunting and know how it work, i added random email and click on next, so here i notice somthing in URL, is looks like that :


There three parameters, [message] and [extra_message] related to the errors message it print in the page and i can spoof it with other errors message,

the [redirect_uri] parametre related with button who redirect to the url who is in the parameter, So i change it with other url and i was seccessfully redirect it when i click to [Back To Login], I didn’t stop here, i want to escalate it to XSS, after 2 hours of trying to know how WAF is work I bypassed that, yeah! When doing the injection into javascript: as a javascript code, it looks like a WAF on hardening settings, although when the injection point are tags, it’s not. Anyway, what I learned when trying to bypass it :

  • document.location.href=’//t.co’ is blocked.

So my final payload using strings concatenation:

let bb=’<svg onload’;let cc=’=’;dd=’promp’;ff=’)’;gg=’t(‘;hh=’>’;aa=bb+cc+dd+gg+ff+hh

Encode payload as URL :


I replace my payload in redirect_uri and works successfully

Twitter : www.twitter/nvccim

Thank you for reading, see you in next blog .

Security Researcher