[BugBounty] Reflected Cross Site Scripting BillMeLater

Dear followers,

i recently found a reflected Cross Site Scripting issue on a Subdomain of BillMeLater (Paypal acquisition) it was possible to break the style attribute and add malicious Javascript Code into the Application.

"--></style></ script >< script > alert ("XSS  ")</ script >

When ending the previous style and script element it was possible to add a new script element and executing the Payload, the complete URL looks like this now :

http://wwwb.search.billmelater.com/coupons/store/guess/?u=%27%22–%3E%3C/style%3E%3C/%20script%20%3E%3C%20script%20%3E%20alert%20%28%22XSS%20%20%22%29%3C/%20script%20%3E

thefindt

This one only worked in Firefox, Chrome and IE restricted the execution with the anti XSS feature.

The Bug was categorized as “Out of Scope” for whatever reason.

Hope you enjoyed, if you have any question left, please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com

de_DEGerman