Top 25 XSS Bug Bounty Reports

Cristian Cornea
4 min readJan 10, 2020

In this article, we will discuss Cross-Site Scripting (XSS) vulnerability, how to find one and present 25 disclosed reports based on this issue.

What is XSS?

XSS stands for Cross-Site Scripting and it is a web-based vulnerability in which an attacker can inject malicious scripts (usually JavaScript) in the application. A common impact of this one is that the attackers can steal sensitive cookies such as session tokens.

Types of XSS

  1. Stored/Persistent XSS: malicious scripts are stored in the application, for example in a comment section.
  2. Reflected/Non-persistent XSS: malicious scripts are returned back to the user, for example in a search query.
  3. DOM-Based/Client-Side XSS: malicious scripts are injected in the Document Object Model, being executed on the client-side and the webserver response isn’t modified.
  4. Self-XSS: the victim is tricked to run malicious scripts on their side, for example in their web developer console.

How to find XSS in a bug bounty program

First, identify all the user inputs in the application, then play with them. Send malicious scripts inside the input, see how the server responds, try to bypass the restrictions such as tag removal, encoding or character blacklisting.

Also, inject some XSS polyglots like this:

jaVasCript:/*-/*`/*\`/*’/*”/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/ — !>\x3csVg/<sVg/oNloAd=alert()//>\x3e

I will provide some links that contain lists with payloads like the one above.

Top 25 XSS Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

Cristian Cornea

🇷🇴 Founder @ Zerotak Security & Cyber Security Training Centre of Excellence (CSTCE)