How i got 300euro bounty?

hi everyone i am back with another writeup,

lets start

actually its limited scope and its intigriti program.

it has only main domain in scope.

first, lets name it as domain name doordie.com

first step:

i collect the endpoints using Xnl reveal chrome extension.

then i start testing the each urls for sensitive or vulnerable

endpoints for xss. after hours of spending i was found one url

but when i go through that url its gives blank page.

that url looks like this:

“https://doordie.com/o/oauth2/redirect”

i tried open redirect not worked, then i tried xss not worked ,then i

was decided to go for hidden parameter fuzzing.

we all already know the Arjun tool, using this tool i was fuzz the hidden

parameters. But i was thinking no use of this. but suddenly it gives me

hidden parameter value “code”.

then i craft the url using the “code” parameter value with xss payload.

its looks like

payload:</script><script>alert(1)</script>

https://doordie.com/o/oauth2/redirect?code=1</script><script>alert(1)</script>