ู„ุง ุชู†ุณุง ุงู„ุฏุนุงุก ู„ูŠ ุงุฎูˆุงุชู†ุง ููŠ ุบุฒุฉ

๐Ÿ”ฅ Introduction

ุงู„ุณู„ุงู… ุนู„ูŠูƒู… ๐Ÿ‘‹ My name is Abdelmonem Reda, a beginner bug hunter ๐Ÿž, and this is my first write-up on Medium โœ๏ธ. I hope you enjoy reading it ๐Ÿ˜Š

For policy reasons, we will assume that the target website is called example.com.

๐Ÿงญ Reconnaissance Phase

I started with normal reconnaissance:

  • ๐Ÿ”Ž Enumerating subdomains
  • โšก Using httpx to probe live hosts
  • ๐Ÿงช Then I used a tool called virustotalx, which was created by orwagodfather

I'm still not very experienced with this tool, but it's actually useful if you want to collect interesting URLs to test ๐Ÿ”—.

๐ŸŽฏ Finding the Target

After finishing recon, I started reviewing the discovered subdomains and found this one:

https://caree.example.com/job-search-results

At first glance, it looked normal and didn't seem interesting ๐Ÿค”, but I decided to check it anyway.

When I opened the page, I found a job search system ๐Ÿ’ผ where users can search for jobs based on their needs and location.

While inspecting the page, I noticed an HTML <select> element with multiple <option> values. Since I had previously found XSS vulnerabilities in HTML select elements โš ๏ธ I decided to test this one as well.

๐Ÿงจ Discovering the Vulnerability

I found a parameter called category. As soon as I injected the value:

Abdo"

I noticed that an <a> tag was added to the HTML code, with an attribute called aria-label. I also observed that my injected value was reflected inside the aria-label attribute, appearing as follows:

aria-label="Removed Abdo" "=""

At that point, I immediately knew this was an XSS vulnerability ๐Ÿšจ.

๐Ÿ›ก๏ธ Initial Payload & WAF Issues

I tried my first payload:

Abdo" autofocus onfocus=alert()

But it didn't work โŒ.

It turned out that there was a WAF blocking the payload ๐Ÿงฑ. I spent around 8 hours โฑ๏ธ trying to bypass it.

WAF Behavior:

  • ๐Ÿšซ It blocked any HTML event handlers such as:
  • onclick
  • onfocus
  • onmousemove
  • etc.
  • ๐Ÿšซ It also blocked parentheses ()

like: onfocus=alert('hay')

๐Ÿ”„ Bypass Attempts

I tried many techniques, including:

  • ๐Ÿงฌ Using null bytes
  • ๐Ÿ”ฃ Adding special characters to events to evade detection

None of these worked ๐Ÿ˜“.

Then I tried injecting a closing tag:

</a>

But I noticed that it was completely removed โœ‚๏ธ.

For example, when I injected:

https://caree.example.com/job-search-results/?category=</a>

It was transformed into:

https://caree.example.com/job-search-results/?category=

๐Ÿ’ก New Idea

At this point, I thought:

What if I place the closing tag inside the event name itself? ๐Ÿคฏ

The idea was that the WAF would remove the tag while parsing the URL and then continue processing the remaining payload without detecting the event handler.

So I crafted this payload:

https://caree.example.com/job-search-results/?category=Abdo"autofocus onfo</select>cus=(alert)('hay')

Unfortunately, it still didn't work ๐Ÿ˜ž.

After inspecting the HTML again, I realized that the <a> tag was no longer being injected, which explained why the payload failed.

๐Ÿ”“ Final Breakthrough

After 5 more hours โณ of testing and almost giving up, I decided to try one last thing: testing another parameter ๐ŸŽฏ.

I crafted the following payload:

https://caree.example.com/job-search-results/?category=Abdo">&employment_type=Abdo"autofocus onfo</select>cus=(alert)(docum</select>ent.cookie)

๐ŸŽ‰ And it worked! ๐ŸŽ‰

๐Ÿ“ Reporting

I was extremely happy ๐Ÿ˜„ and immediately submitted a bug bounty report ๐Ÿž. The report was successfully triaged โœ…, ุงู„ุญู…ุฏ ู„ู„ู‡ ๐Ÿคฒ.

๐ŸŒŸ Final Advice

If you want a piece of advice: Keep learning , keep practicing , and leave the results to Allah ๐Ÿคฒ. If this field is written for you, you will succeed โ€” no matter what