I wanted to let you know how I helped secure XVIDEOS.com.
After spending time enumerating the site, I quickly saw some text was reflected from the search field on the main website.
There was a hidden field that held a lot of JSON data. I was able to break the main page rendering with a very old payload.
The payload in question was
<! — <script>
On endpoint http://site.com/?search=
After inserting the payload and hitting enter, the whole page would not render (but was available in the source code still, just cut from where the payload had entered)
After lots of XSS and other tests, I found I could only insert the <script> tag and nothing else (all other tags gave no result). After more testing, I noticed that any payload with a forward slash (/) would break the payload.
The bug!
The payload <! — <script>
After some more research, this payload seemed to work by first using the HTML comment attribute “<! — “ then having a script tag. I can only assume at this point the website was automatically closing the <script> tag, thus causing the page to not render anymore.
I did read this was a very old bug affecting only older browsers but maybe due to an extra <script> tag being left after the Body of the main page, I believe this caused the error to show.
Initially, when I submitted the report to HackerOne, It was closed as not a security issue. But a few mins later the XVIDEOS staff kindly reopened and awarded me a bug bounty. It goes to show HackerOne might not think it's a bug but it's really down to the customer to feel how secure their portal should be.
Thanks for reading and happy bug hunting, hacking!!!
