Rxss inside href attribute - Bypassing lots of weird checks to takeover accounts!

Here is the final payload after bypassing all the weird checks —

javascript://;%250a+alert(document.cookie,%27\\@www.redacted.com/%27)

In case you are still curious about how/why this payload and the methodology, make sure to read the write-up till the end where I have explained everything in detail : )

I was hacking on a private program. It had two assets in scope — www.redacted.com and my.redacted.com (“redacted” — the word is used in place of the real domain name for privacy …

accounts bug bounty bugs bypassing hackerone hacking takeover weird xss-attack