Pricing

HomeBlogBug Bounty Tips and Blog PostsBug bounty tips: exploiting XS...

Bug bounty tips: exploiting XSS on Instagram

Can Engin

Can Engin

Bug bounty tips: exploiting XSS on Instagram

Farhan Abbas shares an intriguing XSS bug recently discovered on a site lacking a bug bounty
program.

The background of the case

The target site allowed users to input an Instagram username, fetching and enabling the
download of public profile pictures. This simple functionality hinted at potential vulnerabilities.

Hunting Journey

1. Enumeration

Farhan began by enumerating subdomains with subfinder, followed by subdomain brute-forcing
using knockpy. Waybackurls provided parameters, and gf identified possible XSS candidates.
Despite these efforts, initial scans yielded nothing.

2. Payload Testing

After attempting common XSS payloads with no success, Farhan took a different approach.
Instead of the traditional input field, he injected a simple XSS payload into the Instagram Name
field:

```html
   <script>alert('XSS Attack!')</script>
   ```

3. Success with a Twist

Using his Instagram username in the target site’s input field, Fani right-clicked on his profile and opened the link in a new tab. The result? A triumphant XSS pop-up!

Simple Steps

1. Enter XSS payload in the Name Field of the Instagram Profile.

2. Input the Instagram username on the target site.

3. Right-click on the profile, select “Open Link in New Tab.”

4. XSS is exploited.

We thank Farhan for contributing to the international bug bounty hunters community with this bug bounty tip. Share a bug bounty tip with the BugBounter Community today.

Did you like this article? Spread the word!

Similar Posts

Shopping Basket