So I got on another Hall of Fame (I'm aiming for one each week) by finding a Reflected Cross-site scripting (XSS) in Netflix.
Here's the link: https://help.netflix.com/en/node/6657
When dealing with user input, in many cases you need to do your own input handling - which Netflix had to do for their website, as it's fully custom. Filtering possible XSS entry points looks like an easy task, yet many still make common mistakes.
Netflix is sanitizing all the parameter values coming from the url, but they forgot to properly sanitize the parameter names themselves. There was a filter in place but pretty weak as it looked like a simple tag-replacing regex.
This would not output the script as the regex replaces the tags:
But we'll be making their regex return the initial payload:
The regex would remove any tags and other blacklisted combinations like
</ and leave us with the injected payload.