Exploiting a Self XSS On American Express

Sometime ago, ‘American Express‘ had launched its bug bounty program and I was on hunt for some bugs to report($). During which I found an XSS vulnerability on the search field of the page; but there was a catch!

The catch was that it was a Self XSS! i.e. the victim had to manually copy paste the malicious payload into the vulnerable field and click on search; for the code to execute in his/her browser. (Too much to ask for?)

As you know, bug bounty platforms clearly state that they do not accept any self XSS unless and until you have an exploitation scenario!

I started looking for a way to exploit this issue and found that the site was also vulnerable to ‘Clickjacking‘.

Note: The ‘search’ request was being handled by another subdomain in the backend and traditional methods had limited exploitability.

By utilizing the Clickjacking issue and combining it with the Drag-Drop game technique, it was possible to create an exploitation scenario; wherein the victim had to complete a series of steps for the payload to execute!

The Drag and drop games technique lures victims into playing apparently harmless short games by offering a ‘prize’ or challenging them to beat a certain completion time. In most cases the games consist of dragging certain objects (images of balls, fruit or letters) into corresponding table columns or containers (basket, fridge, etc.).

You can read more about it here.

Also, I found that almost all the ‘*.americanexpress‘ domains had the exact same functionality present on their landing page and were vulnerable, as shown below:

ezgif.com-video-to-gif (1)

Behind the Scenes:

By abusing the features of HTML / CSS, an attacker can set a transparent iframe; which allows overlaying of invisible iframe over legitimate websites, thus luring the victim into clicking on objects of the attacker’s choice, while being under the impression that they are browsing a harmless web page.


#trans {
overflow: hidden;
#holder {
overflow: hidden;

<di/v id=”holder”>
<i/frame src=”” height=”240″ width=”320″ scrolling=”no” id=”trans”></iframe>

In simple words…What you’re really making the victim do is, drag the XSS payload into the vulnerable field and click on ‘Search’.


Reported & Fixed.

Bounty: Yes.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s