I was on break for a year because of my dad’s health issue 🙁
But now I’am back 😀
This is my first write up on medium.com , its a old finding but may help you 😉
Ok. So one day I was doing some work with my friend and visited PayPal to get a Pay with PayPal button.
I logged in to PayPal and moved to tools section and clicked on PayPal buttons. After clicking PayPal redirected me to https://financing.paypal.com/ppfinportal/adGenerator
Here we can create buttons.
While generating a button I looked on the URL bar and got excited.
The URL was some thing like this https://financing.paypal.com/ppfinportal/adGenerator/emailCopy?size=320×200
The banner size was in url .So i decided to test it.
I’ve changed the size to LOL
and got surprised , the width size in embed code changed to LOL
Now what 😛
I’ve changed LOL string to a XSS payload and the size became “><img src=x onerror=prompt(1)>
Now the size in embed code became “><img src=x onerror=prompt(1)> . Which means if you’ll use the infected embed code you’ll be greeted by XSS popup 😛
Look at the embed code carefully 😛
So this accidental XSS gave me 250$ 😀
Credit goes to Pflash Punk