While laying on my couch, surfing my Twitter's timeline on my mobile, I noticed that KIWI.KI have started their program on HackerOne.
I opened the program's page to read the guidelines and learn about the targets, then I started to enumerate the subdomains that are in-scope for the program to start looking for bugs in them.
I found the subdomain https://web.kiwi.ki, calling that URL in my browser's address bar resulted in a 302 redirect to the login form located at https://web.kiwi.ki/index.php?owa_do=base.loginForm&owa_go=https://web.kiwi.ki/&.
Noticing that the values of the GET parameters owa_do and owa_go appear inside two hidden <input> fields in the source of the page, I started testing them for XSS.
I couldn't inject into the parameter owa_do as changing/adding/removing characters from the initial value of this parameter causes the page to break and show a blank page, so I was left with the other parameter to test.
Injecting a simple testing probe like <"xss', I found that the injection breaks out of the value parameter of the hidden <input> field due to the lack of encoding/filtering/escaping of all the special characters in the string.
Triggering an alert box in this case was as easy as injecting the payload "><svg onload="alert(domain).
The XSS here is cross-browser because any injection of the form <x> was completely stripped and removed, which allows us to bypass Chrome's XSS auditor and Edge's XSS filter.
After succeeding to create this beautiful alert box, I started scraping the page source to find the vendors of the service, as it was clearly not developed by KIWI. I found a link to http://www.openwebanalytics.com, which is an "open source web analytics software that you can use to track and analyze how people use your websites and applications", according to their landing page.
Knowing that the software is not actually KIWI's, I started to search the web to find more sites that use the service, and I actually found a bunch of web applications that use it.
I reported this bug on 25/2/2016 and it was fixed on 28/2/2016 in the following commit:
https://github.com/padams/Open-Web-Analytics/commit/4ee856074f93fa9e4a49efb8d45319e7783b6aee
Thanks for reading, have a nice day ;)