Open Bug Bounty Community Forum

Posted: **Mon Feb 12, 2018 5:39 am**

I had a website owner reply with:
"What am I suppose to understand? All your URL does is show "OPENBUGBOUNTY" in a window. What's your point?"

While I can paste him some links and explain what XSS, what would you say if you were asked? What wording would ensure it gets patched? How do I convince them that this is important and should be fixed?

Much apprecaited

Posted: **Mon Feb 12, 2018 5:44 pm**

I normally try following.
1) Provide link on OWASP for explanation and top 10 web threats.
https://www.owasp.org/index.php/Cross-s ... ting_(XSS)
https://www.owasp.org/index.php/Top_10-2017_Top_10
2) Provide a thought experiment.

Embed the vulnerable link (here [vulnerable site] with injected payload) in other malicious site, advertisement or as phishing link in email. The injected payload contains script to redirection to a lookalike site of vulnerable site.

Subject clicks on the link.

Link redirects to trusted site (here [vulnerable site]) which in turn redirects to malicious site.

3) In one case, I provided example of redirection to facebook (instead of prompt) with xss and explained it could be have been any other malicious site to steal password or credit card.

Open Bug Bounty Community Forum

How to convince website owners that XSS should be fixed?

How to convince website owners that XSS should be fixed?

Re: How to convince website owners that XSS should be fixed?