The first vulnerable code was present in https://parse.com/apps/user_management:

document.getElementById('content').innerHTML =

          '<h1>This page lets you host Parse.com content from your own domain.</h1>' +

          '<p>Right click <a href="' + window.location.pathname + '">here</a> to save this page. ' +

          'Upload it to your own website and paste the URL in the "Parse Frame URL";

The problem is present because of using document.getElementById('content').innerHTML

With  window.location.pathname without no proper encoding.

This can be exploited with https://parse.com/apps/user_management/?/<payload> and that will be written in the href tag as a pathname. Ouch! This vulnerability is only Exploitable in Internet Explorer 11

The second one at this same page:

if (param == 'link') {

            link = urlParams['link'];

}

var iframe = document.createElement('iframe');

iframe.setAttribute('src', link);

This one is easy to exploit, ?link=/closesrc><payload> would do the job!

some effective fixes have been in place now to use encodeURICompnent()! :)

Hope you find this useful and find similar bugs!

Dec 30, 2014 – Initial Triage

Mar 30, 2015 – More clarification sent

Mar 31, 2015 – Report got escalated

Apr 2, 2015 – Fix and Bounty!