XSS on Bugcrowd and so many other website's main Domain
This is my first Blog post. I recently found Reflected Cross Site Scripting(XSS) vulnerability on Bugcrowd main domain which had huge impact.
I was able to identify one secret parameter which was getting used by the server to respond differently and gave up error page showing `unable to find page 404 in locale <my input>`. This was pretty much atleast XSS and Yes!
Here is the POC video:
This didn't only work on 404 page but also on the homepage for ex: `https://bugcrowd.com?locale=xss`. However this parameter didn't seem to do anything else, so I immediately reported to Bugcrowd. When I woke up in the morning, I came to know that this bug was rather in Locomotive CMS, bugcrowd worked around showing that page at router level to mitigate the impact .
Knowing this I immediately checked out Locomotive CMS and so was their website vulnerable.
So I went dorking for other websites using Locomotive CMS and I have so many POP UPS! but I can't show them because they are still vulnerable.
If your application is using Locomotive CMS, chances are you are also vulnerable, but don't worry If you find that you have this vulnerability, I believe there is a patch out there. Contact Locomotive CMS for more information.
After few days Locomotive fixed the bug and allowed disclosure. You can easily find some locomotive CMS application to test this out.
Bugcrowd rewarded $600 for this, I didn't agree with the reward amount but it was really nice to see the Quick Fix.
Got Thoughts? Tweet me here @v0sx9b ! Thanks for reading :)