Based on the payload the author describes, it does look like an XSS.
The server response probably injected the “continue” parameter into a <meta http-equiv=“refresh” content=”0: url=…” />. Google’s bug bounty team likely would have adjusted the reward downward if it was not an XSS.
document.domain returns the current domain used in the document because no redirect occurred. Similar to if you typed it in your address bar right now, it should show you the HN domain.
It's commonly used as a placeholder in an alert-box XSS PoC. Weaponising this into an actual exploit could have been a fetch(), css inclusion, or enumerating localstorage.
thephyber|1 year ago
The server response probably injected the “continue” parameter into a <meta http-equiv=“refresh” content=”0: url=…” />. Google’s bug bounty team likely would have adjusted the reward downward if it was not an XSS.
AndrewThrowaway|1 year ago
So I tried placing there continue=javascript:alert(document.domain), and… It works!
What do you think document.domain returns in this case?
starmilk|1 year ago
It's commonly used as a placeholder in an alert-box XSS PoC. Weaponising this into an actual exploit could have been a fetch(), css inclusion, or enumerating localstorage.
notachatbot1234|1 year ago
says the article. If you disagree, could you elaborate why?