Marine Engineer Cadet by day, Web Security Researcher by night
Saturday, October 10, 2015
XSS in Heroku (Bug Bounty)
I found a Cross site scripting in dashboard.heroku.com. Heroku has their bug bounty program hosted in Bugcrowd. This is my first bug in bugcrowd. The bug was fixed after 2 weeks and rewarded me with a $200 bounty.
Steps to reproduce: 1. Go to dashboard.heroku.com 2. Go to "Deploy tab" 3. Click "New Pipeline" 4. Enter XSS payload 5. Click "Create Pipeline" and XSS pop-up