Why proofing impact for every XSS is "dumb" - Bug Bounty Reports

LiveUnderflow · Advanced ·🔐 Cybersecurity ·4y ago

Key Takeaways

The video discusses the importance of providing proof of concept for XSS vulnerabilities in bug bounty reports, but argues that it's not necessary to prove impact for every single XSS, especially if the capability of XSS on a particular domain is already understood. It also touches on the idea of bug bounty programs listing their subdomains and indicating their criticality to help hunters focus on the most important ones.

Full Transcript

i had some a bit of a discussion on twitter regarding showing impact of xss especially in bug bounties um there's always this conversation you need to provide a proof of concept to show impact to show impact and that is important but only once once there's one example like the developers of blogger or google triages they once you understand what the capability of xss on blogger.com can do you don't need to re-prove it you don't need anybody else to write the proof of concept you understand now that xss on blogger is critical and so you don't need to reprove that alerting blogger.com the domain is enough you know oh it's on blogger.com oh that's critical that's fine and so with buck bounty reports i understand like if it's a new client a new black bounty plat um program they don't really have a security experience yet and they want to have a bit of knowledge with back bounties maybe they are not aware which domains are really critical for them right they because they have multiple domains they have the dev dot something domain they have the api.something domain they have the whatever something domain so they have a lot of different domains and one part is hosting their javascript one domain is holding the local storage one domain has cookies um so they don't really they should know but maybe they don't know yet the impact of it so a a as a pen tester if you do an audit or um if you're a backbone hunter you need to show them once um you know this is your critical domain here's a proof of concept here's an example this doesn't have to be a full xss though you can just by looking at you know which domain has the cookies which domain has the local storage and so forth um this allows you to already assess okay this is the critical domain without having a nexus s in the first place but once you have an exercise with the proof of concept that's good enough as well anyway what i'm saying is that once one backbone t hunter showed that this domain is critical with one proof of concept all the other bug bounty hunters coming after it shouldn't have to have write a proof of concept again to show that this domain is critical um basically in my opinion i think for back bounty programs it would be easiest if they list all their sub domains or domains and they write behind it how critical it is because there will be sub domains where the xss doesn't really matter for example a lot of websites when you upload an image an avatar that image is then put on a static host so it might for example be put in an s3 bucket and you host the image there but the website itself runs on a different domain it just uses s3 for the image now oftentimes you can actually just upload anything to s3 and you can upload an html document and this html document can now have javascript and now you have an xss on the domain of this website but the the impact is basically zero because this xss cannot do anything on the main domain because it's on the s3 bucket right so um i guess that's also why they exclude the domain uh from the the uh from the program with this three buckets i guess it's clear but it could also be their own service maybe they have an image.website.com and uh where they host static content like this and you uh you you get the point so uh i i don't know where i started with that what i'm just saying is that once you once they should list their subdomains and write after it this is the critical domain if you find xss here this is critical and if you find xss here it's annoying we would like to not have it there so it's a medium or low and here our sandbox sub domains and xs and xs on there doesn't matter does that make sense and a bit unrelated that has to do with a different video i made before if your only argument is it's fishing it's not a valid issue in my opinion that is not a vulnerability if it can only be used for phishing in my opinion i'm feeling pretty strong about that it's not a vulnerability [Music] [Music] you

Original Description

Excerpt from Stream: https://www.youtube.com/watch?v=o75PxDp-Zww → Twitch Subscription: https://www.twitch.tv/products/liveoverflow → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 📄 Info. ]=- Main Channel: https://youtube.com/LiveOverflowCTF Twitch: https://twitch.tv/LiveOverflow -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- #liveoverflow
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 17 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
29 Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

The video teaches the importance of providing proof of concept for XSS vulnerabilities in bug bounty reports, but also argues that it's not necessary to prove impact for every single XSS. It also discusses the idea of bug bounty programs listing their subdomains and indicating their criticality to help hunters focus on the most important ones. This is crucial for effective bug bounty hunting and vulnerability assessment.

Key Takeaways
  1. Identify critical domains and subdomains
  2. Provide proof of concept for XSS vulnerabilities
  3. Prioritize bug bounty hunting efforts based on domain criticality
  4. Assess the impact of XSS vulnerabilities
  5. Determine the criticality of domains and subdomains
  6. Conduct pen testing for web applications
  7. Identify XSS vulnerabilities and provide recommendations for remediation
💡 Once the capability of XSS on a particular domain is understood, it's not necessary to prove impact for every single XSS, and bug bounty programs should list their subdomains and indicate their criticality to help hunters focus on the most important ones.

Related Reads

Up next
Surfshark Review — The Honest Pros, Cons and Final Verdict (2026)
Tutorial Stack
Watch →