Discovering an XSS Vulnerability on Vue.js 2.6.10 WebApp

3 min readJun 21, 2024


While exploring the website, I stumbled upon a fascinating vulnerability in the search functionality. This discovery not only highlighted the efficiency of my #IBRAHIMXSS Tool but also underscored the importance of thorough testing in web security.

The Discovery

It all began on the homepage, where I noticed a search bar prominently displayed. Curious, I typed “aaa” into the search field and was redirected to a new URL: Interestingly, my search term “aaa” appeared directly in the path URL without any query parameters.

Analyzing the Response

Recognizing the potential for an XSS vulnerability, I decided to inspect the page response. Upon closer examination, I found the following HTML meta tag:

<meta property="og:description" content="Results for &#39;aaa&#39; Movies and Series | "/>

To probe further, I tested the input with aaa'<, which resulted in:

<meta property="og:description" content="Watch aaa&#39;&lt; movies and series for free on Redacted, download aaa&#39;&lt; movies and shows in HD with Redacted"/>

Leveraging #IBRAHIMXSS Tool

At this point, I realized that this input was potentially injectable, and I decided to use the --path option in my #IBRAHIMXSS Tool to further investigate. The tool allows for thorough path-based analysis, making it ideal for this scenario.

Identifying the Technology

Using the Wappalyzer extension on Firefox, I identified that the domain is built on Vue.js 2.6.10. This information was crucial as it helped tailor my attack vectors.

Firing the Tool

Armed with this information, I fired up the #IBRAHIMXSS Tool and deployed a full suite of payloads. Within seconds, the tool generated a report filled with multiple popups, indicating successful execution of several JavaScript and Angular payloads.

Proof of Tool’s Accuracy

This discovery is proof that the #IBRAHIMXSS Tool works without any false positives and is highly accurate. It’s a unique tool designed to identify XSS vulnerabilities in various web applications, utilizing path-based XSS and many other advanced options. For anyone looking to learn more about XSS or earn money through bug bounty programs, this tool is the perfect combination. It’s also ideal for pentesters who want to ensure their work is comprehensive and accurate, providing clients with safe reports and the confidence that no XSS vulnerabilities will be found later.

Official Release Announcement

I am excited to confirm that the official release of the #IBRAHIMXSS Tool will be on July 18th.


This discovery once again demonstrated the effectiveness of the #IBRAHIMXSS Tool in identifying and exploiting XSS vulnerabilities. The tool’s ability to handle complex payloads and provide accurate results makes it an invaluable asset for any security professional.




Deploying an alert box in a web app is like having a tiny pop-up comedian shout 'Surprise!' whenever you least expect it!