XSS on TikTok

2 min readMay 14, 2024


Hi folks ,

Today I will share with you my XSS on TikTok :

While I was surfing TikTok I got that their is a misconfiguration from the server which even it can encode some characters to prevent XSS but it can’t prevent it in the client side , so I was able to get it in the search bar but their is a problem which is that theirs is no parameter the payload get reflected in , and Yes It’s a self XSS till now so let’s forget this method and let’s try to escalate it ,

As anyone I tried many things as : CSRF , Web Caching , …. etc

But their was nothing , Now we are in a bad corner can’t go anyway else cause as I told you no parameter no reflection but no way to leave it .

After some days I told my self what if the site vulnerable for Clickjacking ?

Yes exactly it was vulnerable but their was a challenge here to less the user interactions to make it from two or lesser to make it with likely user interactions , then after a lot of thinking with my friend “Karem” we were able to make it with only two interactions as The Victim visit the page The payload will be copied automatically and pop message to tell him to paste the payload on search bar using this js function :

function copyText() { 4 const textToCopy = ‘XSS-PAYLOAD’; 5 const textArea = document.createElement(“textarea”); 6 textArea.value = textToCopy; 7 document.body.appendChild(textArea); 8 textArea.select(); 9 document.execCommand(“copy”); 10 document.body.removeChild(textArea); 11 12 alert(“Please Paste to search and click enter “); 13 }

Then after pasting it the XSS will be executed and if you used your server for BXSS you will get the cookies automatically ,

But after the H1 team Triaged it and The TikTok team told me that it’s ok and they will pay me , They Resolved it with ineligible for bounty and IDK why even that the H1 Triage member tried to explain it’s severity again to them but they refused it .

I won’t Share the payload cause their still Vulnerable endpoints .

Thanks ,