SEMrush: XSS on redirection page( Bypassed)

ID H1:316319
Type hackerone
Reporter kunal94
Modified 2018-06-13T11:42:31


Hello Semrush Team, In this report id 311330, I was filled duplicate and redirection url is fixed which made me feel happy as deserving bounty hunter gets a reward.

However, after fixing from last night, I finally bypassed the redirection method which not only Triggered Xss, but also it redirects to somewhere else.

To reproduce

So,I tried to craft a XSS like javascript://%0aalert(document.cookie) at the end of redirection Url,so it doesn't work. Afterwards,I encoded %0a to %250a, then modified the payload and injected at the end of url and it works like a charm.

Here are the XSS payloads

When a particular user clicks the button,it's going to triggered an XSS.

Now,Here comes the tricky part regarding Unvalidated redirection-

Now if you inject javascript://%250Aalert(document.location="",document.location="") at the end of url like this"",document.location="")

and a particular user click go to site,first page will popup and then it's going to redirect to

Please Consider it and let me know.

With Regards Kunal

(Attaching with Single POC ) F263582


An attacker can perform dangerous attacks using XSS.