This is, officially, my first recognized XSS bug that I've found. I am super excited because it basically confirmed that I am doing the right things in general and just need to be more patient about it. As they say, "everything is time" :)
So here I was, chilling in the morning, checking websites, and I decide to be a degen and visit my favorite animu/mango/hentai site, Sankaku Complex.
Sankaku has a long history of posting adult material on their website, and at some point implemented a simple disclaimer pop-over. I happened to notice that the URL that shows up in the bottom bar when you rollover the link was different and indicated a middleman URL with a redirect.
Right-click, copy link location. Paste in new tab. Such hacker, wow.
So, there IS a middleman!
Basically, the "then" parameter is used to generate the Yes/No links on that page, which is crazy because it isn't being properly sanitized.
I played around for a few minutes until I broke the system and could observe some behavior. It is amazing how many things will break if you just try inputting a single double-quote and a greater-than character
Turns out on that field, you can inject arbitrary HTML, including
"> is all it took to break the page.
However, the full payload could be as short as:
The public disclosure date was 17 February 2019, and the report can be located at: https://www.openbugbounty.org/reports/726249/