How I was able to find 100+ XSS in the United nations Bug Bounty Program

Hey, Guys so this is my first blog. so I thought maybe give it try to show people how you could find bugs in an easy way

So let's get started

First After my recon for 4 days. I started to look for URLs. URLs of your choice may be from Wayback or live URLs from the website by crawling. so first I started for archive ones

For that, you could any tools of your choice. but for me, I used 2 two tools. Those are waybackurls and gau. I choose these two tools both combined like I would take URLs from both of them because of the fact. when I did my recon and send those subs to these tools. I have found out that both of these tools would give me new or different URLs and it kind of differs from the number of URLs found. Sometimes I would be getting more URLs from waybackurls tool written by tomnomnom other times i would be getting from gau. So yeah I kinda mix them and use them together.

So After i got all my urls i started for hunting XSS . My methology is different. I would look for only one type of bug for a long period of time . So I found a wooping of 1700000 urls at the end .

Now what Since I got my urls . I started using kxss this also amazing tool which was written by tomnomnom and I stored all the urls which were reflecting certain Unfiltered special characters . Now I picked those urls from it and started using dalfox .

You could use it as

cat urls.txt | kxss | awk ‘{print $4}’| sort -u >> xss_list.txt

or you can pipe it to dalfox directly as well which is up to you

cat urls.txt | kxss | awk ‘{print $4}’| sort -u | dalfox pipe -b <you blind xss> — custom-payload <your payload> -w 300 — multicast — mass — only-poc -o xss_vulns.txt

Here I found a xss with my custom payloads list i have created on my own .But one thing that striked me that the end parameter “lng” called language was found in 300+ urls from one domain lets say and when i started to find if all the lng parameter were vulnerable or not . To me Only 179 urls were vulnerable since those urls exits . The reset of the urls didn’t exist or return 404 .

The Funny thing was i able to find xss in 404 pages as well since it would not be vulnerable because there is nothing to exploit on the page .

Finally submitted to them in March -5th .

Was given hall of fame in April 22nd

Thank you for reading




Security Researcher | Bug Bounty hunter | Security Engineer | CTF player | OSINT

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ways to Use the Memory Foam Bedmattress.

Security Awareness Training Will Prevent Ransomware

DIY Doorbell face recognition with ZoneMinder and DBell

So You Want To Be A *Ethical* Hacker? Here’s How! (Interactive Exercises Included)

What is Clickjacking ❓ Definition and Prevention techniques

{UPDATE} Pooza para preescolares Hack Free Resources Generator

Get Peace of Mind: Get the Ledger Nano S/X, Secure Your Wallet Today

You are all invited!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Security Researcher | Bug Bounty hunter | Security Engineer | CTF player | OSINT

More from Medium

How did I find Log4j vulnerability via Static Code Analysis and receive €€€ bounty?

Zero Click To Account Takeover


IDOR vulnerability on invoice and weak password reset leads to account take over