I used to be collaborating in a bug bounty on a web site we are going to name
instance.com, after I bumped into a really unusual edge case which I’m not certain I ought to report. The web site makes use of adverts and monitoring much like google analytics from a web site we are able to name
monitoring.com. When visiting the instance web site there’s an iframe to the monitoring web site. The supply of the iframe may be seen beneath.
The instance web site additionally has a parameter known as
https://instance.com/?utm_source=";</script><script>alert(doc.area)</script> yields the alert embedded web page at monitoring.com says monitoring.com. The problem is that the monitoring web site will not be in scope of the bug bounty and I’m not even certain that the difficulty is brought on by the monitoring web site. It looks like the instance web site permits the consumer to inject arbitrary JS into the iframe of the monitoring web site. Is that this a bug price reporting or am I lacking some straightforward means of escaping the iframe?
Thus far I’ve tried injecting
</iframe> and issues like
e.onload=alert(1)to flee the iframe however haven’t been profitable. Because the instance and monitoring web sites are on completely different domains I can not entry issues within the guardian web site (instance) from the monitoring web site as a result of “X-Body-Choices” header set to “SAMEORIGIN”.
As a newbie this bug has me very confused as to the way it ought to be categorized and whether it is exploitable in any means. Any ideas can be vastly appreciated!