AssalamuAlaikum Everyone. My Name is Farhan aka Fani Malik, a Bug Hunter. So, here I came up with an Interesting XSS Bug that I Found a While ago.
SO LET’S BEGINLet's begin
The target didn’t have a bug bounty program, I randomly landed on the site, and after contact with the support team, they allowed me to Hunt on their site. Target was Quite simple with simple functionality. if You give the username of any Instagram Account in the input field then the site will fetch the profile picture of the account and allow you to download the profile picture(Public Profile Pictures Obviously) of the user. if You think the input filed is vulnerable to XSS then You're Wrong Please Continue the Write-up.
first of all, I enumerated all subdomains of the target.com with subfinder and then subdomain brute-forcing with knockpy, then I used waybackurls to get parameters to test for XSS and then I used gf to get possible XSS parameters. after sorting the URLs I used KXSS
Read the article