Bug bounty tips: exploiting XSS on Instagram
Farhan Abbas shares an intriguing XSS bug recently discovered on a site lacking a bug bounty
program.
The background of the case
The target site allowed users to input an Instagram username, fetching and enabling the
download of public profile pictures. This simple functionality hinted at potential vulnerabilities.
Hunting Journey
1. Enumeration
Farhan began by enumerating subdomains with subfinder, followed by subdomain brute-forcing
using knockpy. Waybackurls provided parameters, and gf identified possible XSS candidates.
Despite these efforts, initial scans yielded nothing.
2. Payload Testing
After attempting common XSS payloads with no success, Farhan took a different approach.
Instead of the traditional input field, he injected a simple XSS payload into the Instagram Name
field:
```html
<script>alert('XSS Attack!')</script>
```3. Success with a Twist
Using his Instagram username in the target site’s input field, Fani right-clicked on his profile and opened the link in a new tab. The result? A triumphant XSS pop-up!
Simple Steps
1. Enter XSS payload in the Name Field of the Instagram Profile.
2. Input the Instagram username on the target site.
3. Right-click on the profile, select “Open Link in New Tab.”
4. XSS is exploited.
