XSS on Bugcrowd and so many other website’s main Domain

May 30, 2018

Originally posted here [Old Blog]: http://witcoat.blogspot.com/2017/06/xss-on-bugcrowd-and-so-many-other.html

Hi all,

This is my first Blog post. I recently found Reflected Cross Site Scripting(XSS) vulnerability on Bugcrowd main domain which had huge impact.

Secret Parameter:

I was able to identify one secret parameter which was getting used by the server to respond differently and gave up error page showing `unable to find page 404 in locale `. This was pretty much atleast XSS and Yes!
Here is the POC video:


This didn’t only work on 404 page but also on the homepage for ex: https://bugcrowd.com?locale=xss. However this parameter didn’t seem to do anything else, so I immediately reported to Bugcrowd. When I woke up in the morning, I came to know that this bug was rather in Locomotive CMS, bugcrowd worked around showing that page at router level to mitigate the impact .
Knowing this I immediately checked out Locomotive CMS and so was their website vulnerable.



 So I went dorking for other websites using Locomotive CMS and I have so many POP UPS! but I can’t show them because they are still vulnerable.
If your application is using Locomotive CMS, chances are you are also vulnerable, but don’t worry If you find that you have this vulnerability, I believe there is a patch out there. Contact Locomotive CMS for more information.This had huge impact as all the submission data and other important information is hosted on main domain which means one click and few seconds of javascript processing will steal all the data from the user and take actions on behalf of users(CSRF).
After few days Locomotive fixed the bug and allowed disclosure. You can easily find some locomotive CMS application to test this out.Bugcrowd rewarded $600 for this, I didn’t agree with the reward amount but it was really nice to see the Quick Fix.

Got Thoughts? Tweet me here @v0sx9b ! Thanks for reading 🙂


Leave a Reply

Required fields are marked *.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.
%d bloggers like this: