One Bug at a Time: $1,500 worth of XSS

4 min readSep 20

Welcome back people! Today we will be digging into how to find XSS that others are not finding.

Bug Number 1: Stored and Reflected XSS on settings page

Looking for a XSS in this site was interesting, no code was popping but I was getting some parsed data like this:

>”

Instead of my full payload as:

"><img src=x onerror=alert("XSS");>

This meant that the application was taking in my data and not blocking it. From here I went through the entire website seeing if the payload would pop up anywhere else and it did. Upon further investigation, I discovered that the XSS vulnerability I identified on the settings page has a wider impact on the entire website. The issue is related to improper input validation and output encoding, allowing malicious payloads to be executed both in a stored and reflected manner. This meant I could exfiltrate data of the users from their settings page because the data that was shared in the settings page is able to be viewed by other people (Administrators or Researchers).

Impact: This vulnerability poses a significant security risk as it allows attackers to execute arbitrary JavaScript code within the context of other users’ sessions. The potential consequences include:

Data Exfiltration: Attackers can steal sensitive user data stored in the settings page, which is accessible to administrators and researchers. This data may include personal information, email addresses, or even authentication tokens.
Session Hijacking: An attacker can use this vulnerability to hijack user sessions, potentially gaining unauthorized access to the victim’s account

Tips for finding this type of XSS

Once a payload is past filters, don’t remain on one page, try to visit every page on the site because it could be getting displayed somewhere else.
Check for Variations in Input Handling: After successfully injecting a payload, test different variations of the payload (e.g., different encodings, payloads with special characters) to ensure that the vulnerability is not limited to a specific input format or context.
Investigate Cookie Manipulation: If the XSS…

One Bug at a Time: $1,500 worth of XSS

Written by Gavin Kramer

More from Gavin Kramer

One Bug at a Time: My First Paid Bug ($1,000 IDOR)

Hello all! Glad to see you back : ) Today I will be writing about my first paid bug, it has a funny story line so read along!

One Bug at a Time: In depth analysis of 3 IDOR bugs

One Bug at a Time: Patent Pirating using IDOR | RE’ing US Patent and Trademark Office for fun

Hello readers! Today I will be going into a fun story on how I used an IDOR within the US Patent and Trademark Office for fun with a…

One Bug at a Time: First 15 days of #30daysofbugbounty

Before we start, thank you for coming here and reading this blog!

Recommended from Medium

How I Got 4 SQLI Vulnerabilities At One Target Manually Using The Repeater Tab

Hi everyone, I’m Yousseff, A Junior Computer Science Student, and Cyber Security Enthusiast, Always hungry for a deep understanding of the…

OAuth Misconfiguration Leads To Pre-Account Takeover(snapchat)

Hi guys, my name is Ahmed Mahmoud. I am a bug hunter. I will share my latest finding, which is an OAuth Misconfiguration that Leads To…

Lists

Medium Publications Accepting Story Submissions

Stored XSS via Exif Data

XSS in GMAIL Dynamic Email (AMP for Email)

I found a XSS vulnerability on GMAIL that I reported to Google VRP on January 2023. This issue occurs due to improper HTML parsing in GMAIL…

$1000 Bounty: How I scaled a Self-Redirect to an XSS in a web 3.0 system at Hackenproof

Hello everyone, in this article, I will share how I scaled from a self-redirect that redirected only to a link containing the host itself…

Tricky 2FA Bypass Leads to 4 digit Bounty $$$$

Hii Everyone i am Rohan Gupta part time bug hunter and Full time as a Jr. Security analyst.