Aug 29, 2018

Reflected XSS in Django REST Framework Api at MapBox Subdomain


Reflected XSS in  
Django REST framework API at
 MapBox Subdomain 

Bounty : 500 $
Program : Mapbox
subdomain :


While I was testing 
I've found that Django REST framework API is Available for all Users 
( i don't mean admin panel I mean the normal paths )

So I start testing this /changesets/ path 
but i admit its hard to find a bug in Django Api

I notice that there is some Parameters

so i Started to test it 
The affected Parameter was date__gte=
its accept any payload to make XSS 

Poc was


Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student