How Instagram Helped Me To Exploit XSS 🔥

Published in

InfoSec Write-ups

3 min readOct 11, 2021

AssalamuAlaikum Everyone. My Name is Farhan aka Fani Malik, a Bug Hunter. So, here I came up with an Interesting XSS Bug that I Found a While ago.

SO LET’S BEGIN

The target didn’t have a bug bounty program, I randomly landed on the site, and after contact with the support team, they allowed me to Hunt on their site. Target was Quite simple with simple functionality. if You give the username of any Instagram Account in the input field then the site will fetch the profile picture of the account and allow you to download the profile picture(Public Profile Pictures Obviously) of the user. if You think the input filed is vulnerable to XSS then You're Wrong Please Continue the Write-up.

first of all, I enumerated all subdomains of the target.com with subfinder and then subdomain brute-forcing with knockpy, then I used waybackurls to get parameters to test for XSS and then I used gf to get possible XSS parameters. after sorting the URLs I used KXSS And Dalfox. Bad luck I got nothing.

Then I entered an XSS Payload in the user name field, Nothing happened. then I put my Instagram username in the username input field and I was able to Download my Profile Picture.

I thought let’s try something new everyone is pasting the payload in the input field, why should I do the same. Then I entered a simple XSS payload in the Instagram Name field. Just Like Below

then I copied my Instagram username and pasted it in the username field of “target.com”, and then right-click on my profile and open-Link-in-new-tab