--- layout: post title: An XSS Story --- Last night I stumbled across an XSS in a bug bounty program, this was quite fun to exploit. A little bit of context, the URL was as follows: {% highlight bash%} https://bugbounty.program/dir/page.ext?param1=SOMETHING¶m2=SOMETHINGELSE {% endhighlight %} Going thru the page code we can clearly see a reflection in a javascript tag, around the entry "subject". {% highlight javascript%} xxx: { paramX: "SOMESTRING", country: "US", owner: "mail@program", subject: "SOMETHING", [...] } {% endhighlight %} Let's try with my favorite test payload `AAAA"'BBBB(1)` and see how the characters are escaped. {% highlight javascript%} xxx: { paramX: "SOMESTRING", country: "US", owner: "mail@program", subject: "AAAA" 'BBBB", [...] } {% endhighlight %} The tag was stripped but the double quote isn't escaped. We can say goodbye to the infamous `