Thursday, January 5, 2017

Reflected XSS in Etsy

Last month, I found a Reflected XSS in Etsy and received a bounty + swag. I found the XSS by browsing the mobile version (you can achieve this by changing your user agent to mobile) of Etsy. The vulnerable URL is and to reproduce the XSS, just enter an XSS payload in the searchbar and the XSS will execute. Etsy security team fixed this within a day and the response time was one week (because of weekends). The bug was worth $500



 That's all... Thanks.