Reflected XSS in Django REST Framework Api at MapBox Subdomain

Reflected XSS in  
Django REST framework API at
 MapBox Subdomain 

Bounty : 500 $
Program : Mapbox
subdomain :


While I was testing 
I've found that Django REST framework API is Available for all Users 
( i don't mean admin panel I mean the normal paths )

So I start testing this /changesets/ path 
but i admit its hard to find a bug in Django Api

I notice that there is some Parameters

so i Started to test it 
The affected Parameter was date__gte=
its accept any payload to make XSS 

Poc was



Post a Comment