# Uncovering XSS on Flipkart

**Hello Everyone….**  
I hope you all are doing well. This write-up is about Flipkart's Cross-site scripting Vulnerability.

**Cross-site scripting (XSS)**  
Cross-site scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

When I was searching for a bug bounty program I came across the [Flipkart bug bounty program](https://www.flipkart.com/pages/security). In that program for valid submission, Flipkart will mention the bug bounty hunter's name in their Hall of Fame. So I decided to give it a try.

**Started hunting on Flipkart**

After some recon, I found one issue related to the No Rate limit

* Fri, 20 Nov 2020 - Reported that issue to the Flipkart Security team.
    
* Sun, 22 Nov 2020 - Got a response from the team and it’s a Duplicate
    

**Disappointed…**

Then I decided that if I give 2nd try

Again started my hunting journey on Flipkart. This time I started with proper recon steps. So started with subdomain enumeration. So I came across one of the Flipkart domain. It’s a normal login form page.

I tried with SQL injection here, but no result. Then tried with a normal XSS payload on a URL parameter. It works. XSS alert popped up.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708364605197/5d11f5d5-7c8a-4fc4-8eaa-7fcec1744cd4.png align="center")

Then I used XSS hunter payload on the same URL parameter.

I received an email from XSS Hunter and POC was created. Here we can be able to see the triggered IP, URL location, and a screenshot of that page.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708364622594/56887703-8a49-44de-9342-f7f19d9b2db2.png align="center")

So finally, I am done with Bug Hunting. So it’s reporting time. Then I prepared a clean report and submitted it to the Flipkart security team.

**Report Timeline:**

* Thu, 17 Dec 2020 - Reported to Security Team
    
* 18 Dec 2020 - First response from the team
    
* 28 Dec 2020 - Bug Accepted
    
* 5 Jan 2021 - Issue fixed
    
* 08 Jan 2021 - Acknowledged in their [Hall of Fame](https://www.flipkart.com/pages/security).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708189801363/acc3fb87-8ad3-408d-ba87-53cd0ecc0b9f.png align="center")
