So I got on another Hall of Fame (I'm aiming for one each week) by finding a Reflected Cross-site scripting (XSS) vulnerability in Netflix.
Here's the link: https://help.netflix.com/en/node/6657
When dealing with user input, in many cases you need to do your own input handling - which Netflix had to do for their website, as it's fully custom. Filtering possible XSS entry points looks like an easy task, yet many still make common mistakes.
Netflix is sanitizing all the parameter values coming from the url, but they forgot to properly sanitize the parameter names themselves. There was a filter in place but pretty weak as it looked like a simple tag-replacing regex.
This would not output the script as the regex replaces the tags:
The regex would remove any tags and other blacklisted combinations like
</ and leave us with the injected payload.
Avoid doing your own filter. Use a well known one. Avoid the presence of obviously non-value or field related input data. Stop thinking XSS is not a big deal. It is a big deal. Ask Adobe.