How I got Reflected Cross Site Scripting(RXSS) on Manchester Metropolitan University

Santosh Bobade
2 min readAug 7, 2021


Hello Everyone
I hope you all are going well and good
So this is my third blog regarding bug hunting

If you want to read my previous 2 blogs regarding my findings click on the following link

how I got appreciation from Harvard University(

how I got the hall of fame from Universiteit Utrecht(

So let’s start

First I was collecting all the URLs using the gau tool

GAU tool is a very much impressive tool made by Corben Leo

Link for gau tool:

By using grep command I sort out the URL which contains utm_ parameter

cat url.txt | grep “utm_”

I would recommend to you if you got the following parameter then check each of them will be reflected or not


but in our case, utm_compaign value is reflected to in input tag

now its time to balance the tag

My payload:

test”/><img src=x onerror=prompt(document.domain)>

Check-in browser


After 10–15 days the security team fix the issue and received thankful mail from the Manchester Metropolitan University

I also disclosed some interesting video POC regarding my submission on youtube



Twitter Handle:

Thanks for reading….!