How I got Reflected Cross Site Scripting(RXSS) on Manchester Metropolitan University

Hello Everyone
I hope you all are going well and good
So this is my third blog regarding bug hunting

If you want to read my previous 2 blogs regarding my findings click on the following link

how I got appreciation from Harvard University(harvard.edu):

how I got the hall of fame from Universiteit Utrecht(uu.nl)

So let’s start

First I was collecting all the URLs using the gau tool

GAU tool is a very much impressive tool made by Corben Leo

Link for gau tool:
https://github.com/lc/gau

By using grep command I sort out the URL which contains utm_ parameter

command:
cat url.txt | grep “utm_”

I would recommend to you if you got the following parameter then check each of them will be reflected or not

utm_source=
utm_compaign=
utm_medium=

but in our case, utm_compaign value is reflected to in input tag

now its time to balance the tag

My payload:

test”/><img src=x onerror=prompt(document.domain)>

Check-in browser

boom….!

After 10–15 days the security team fix the issue and received thankful mail from the Manchester Metropolitan University

I also disclosed some interesting video POC regarding my submission on youtube

Youtube: https://www.youtube.com/channel/UCD1HKXD7o-mLV9jmkS-emGw

LinkedIn: https://www.linkedin.com/in/santosh-bobade-531094192/

Twitter Handle: https://twitter.com/Santosh88267387

Thanks for reading….!