As long as your web application published on Internet, one day it will face the hackers scanning. There is no 100% security and you always want to find out the vulnerability first before it can be exploited. There are many bounty programs online to attract hackers to search those vulnerabilities and publish out, also notify web master. Open Bug Bounty is one of them and probably most popular one.
1. Open Bug Bounty Website
Started in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.
2. Search the Website you want to check
3. Check the finding
There is a vulnerable URL:
http://www.abc.efg/en/1247.htm?query=”/><script src=https://openbugbounty.org/1.js>
and the screenshot to prove this vulnerability.
Another url relating Cross Site Scripting you can try is :
http://www.abc.efg/en/1247.htm?query=”/><script>alert(/XSSPOSED/)</script>
4. Verify the vulnerability
Unfortunately, if you directly copy the url into web browser , it wont work since most of modern browser has a feature to block this type of XSS (Cross Site Scripting) attack.
If you use Microsoft Edge, you will find the same result shows in the OpenBugBounty website.
For Chrome, you will need enable one parameter ‘-disable-xss-auditor‘ to bypass XSS auditor:
 |
| Chrome with -disable-xss-auditor |
After clicked ok, close all Chrome window. Reopen Chrome again with this new added parameter -disable-xss-auditor.
