How I was able to find 100+ XSS in the United nations Bug Bounty Program

Hey, Guys so this is my first blog. so I thought maybe give it try to show people how you could find bugs in an easy way

So let's get started

First After my recon for 4 days. I started to look for URLs. URLs of your choice may be from Wayback or live URLs from the website by crawling. so first I started for archive ones

For that, you could any tools of your choice. but for me, I used 2 two tools. Those are waybackurls and gau. I choose these two tools both combined like I would take URLs from both of them because of the fact. when I did my recon and send those subs to these tools. I have found out that both of these tools would give me new or different URLs and it kind of differs from the number of URLs found. Sometimes I would be getting more URLs from waybackurls tool written by tomnomnom other times i would be getting from gau. So yeah I kinda mix them and use them together.

So After i got all my urls i started for hunting XSS . My methology is different. I would look for only one type of bug for a long period of time . So I found a wooping of 1700000 urls at the end .

Now what Since I got my urls . I started using kxss this also amazing tool which was written by tomnomnom and I stored all the urls which were reflecting certain Unfiltered special characters . Now I picked those urls from it and started using dalfox .

You could use it as

cat urls.txt | kxss | awk ‘{print $4}’| sort -u >> xss_list.txt

or you can pipe it to dalfox directly as well which is up to you

cat urls.txt | kxss | awk ‘{print $4}’| sort -u | dalfox pipe -b <you blind xss> — custom-payload <your payload> -w 300 — multicast — mass — only-poc -o xss_vulns.txt

Here I found a xss with my custom payloads list i have created on my own .But one thing that striked me that the end parameter “lng” called language was found in 300+ urls from one domain lets say and when i started to find if all the lng parameter were vulnerable or not . To me Only 179 urls were vulnerable since those urls exits . The reset of the urls didn’t exist or return 404 .

The Funny thing was i able to find xss in 404 pages as well since it would not be vulnerable because there is nothing to exploit on the page .

Finally submitted to them in March -5th .

Was given hall of fame in April 22nd

Thank you for reading

Security Researcher | Bug Bounty hunter | Security Engineer