4osp3l

On a very good day, I was scrolling through external BBPs because I was getting tired of grinding the same platform programs on Yeswehack and similar sites. I came across this SaaS company's bug bounty program, they're based in India, and the scope was massive with tons of products and huge attack surface.  My first report was a simple open redirect; They closed it as N/A, which was whatever - it was my first submission on their program anyway. The next day I went back to the target for more recon.  While enumerating subdomains, I hit app.[redacted].com , and that led me straight to a reflected XSS on their Marketplace product. The vulnerable URL looked like this - https://marketplace.[redacted].com/app/embed/billing/telegram-for-zoho-billing?mode=true&serviceOrg=920557526%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&frameorigin=https://test.com It's a reflected Cross-Site Scripting (XSS) in the serviceOrg parameter. The app wasn't sanitizing the input ...