One Bug at a Time: $1,500 worth of XSS

4 min readSep 20

Welcome back people! Today we will be digging into how to find XSS that others are not finding.

Bug Number 1: Stored and Reflected XSS on settings page

Looking for a XSS in this site was interesting, no code was popping but I was getting some parsed data like this:

>”

Instead of my full payload as:

"><img src=x onerror=alert("XSS");>

This meant that the application was taking in my data and not blocking it. From here I went through the entire website seeing if the payload would pop up anywhere else and it did. Upon further investigation, I discovered that the XSS vulnerability I identified on the settings page has a wider impact on the entire website. The issue is related to improper input validation and output encoding, allowing malicious payloads to be executed both in a stored and reflected manner. This meant I could exfiltrate data of the users from their settings page because the data that was shared in the settings page is able to be viewed by other people (Administrators or Researchers).

Impact: This vulnerability poses a significant security risk as it allows attackers to execute arbitrary JavaScript code within the context of other users’ sessions. The potential consequences include:

Data Exfiltration: Attackers can steal sensitive user data stored in the settings page, which is accessible to administrators and researchers. This data may include personal information, email addresses, or even authentication tokens.
Session Hijacking: An attacker can use this vulnerability to hijack user sessions, potentially gaining unauthorized access to the victim’s account

Tips for finding this type of XSS

Once a payload is past filters, don’t remain on one page, try to visit every page on the site because it could be getting displayed somewhere else.
Check for Variations in Input Handling: After successfully injecting a payload, test different variations of the payload (e.g., different encodings, payloads with special characters) to ensure that the vulnerability is not limited to a specific input format or context.
Investigate Cookie Manipulation: If the XSS…

One Bug at a Time: $1,500 worth of XSS

Written by Gavin Kramer

More from Gavin Kramer

One Bug at a Time: My First Paid Bug ($1,000 IDOR)

Hello all! Glad to see you back : ) Today I will be writing about my first paid bug, it has a funny story line so read along!

One Bug at a Time: In depth analysis of 3 IDOR bugs

One Bug at a Time: Patent Pirating using IDOR | RE’ing US Patent and Trademark Office for fun

Hello readers! Today I will be going into a fun story on how I used an IDOR within the US Patent and Trademark Office for fun with a…

One Bug at a Time: First 15 days of #30daysofbugbounty

Before we start, thank you for coming here and reading this blog!

Recommended from Medium

Mass Hunting XSS vulnerabilities

In this article, I would like to cover how it is possible to efficiently check thousands of endpoints for potential Cross Site Scripting…

How to Find First Bug (For Beginners)

As a beginner, you try to find bugs in many websites but still you got nothing. You got Demotivation during bug hunting ,Don’t worry when…

Lists

Medium Publications Accepting Story Submissions

$1000 Bounty: How I scaled a Self-Redirect to an XSS in a web 3.0 system at Hackenproof

Hello everyone, in this article, I will share how I scaled from a self-redirect that redirected only to a link containing the host itself…

My First IDOR - Hiding in the Header Request

In the midst of a busy schedule, the little time I dedicate to bug hunting brings immense joy, especially when I stumble upon something…

Discovering 7 Open Redirect Bypasses and 3 XSS Bypasses Within a Single Program Using Same…

In today’s Write-up, I will share my journey of uncovering 7 open redirects and 3 XSS WAF (Web Application Firewall) bypasse’s

Reconnaissance Is The Key — Bug Bounty Tip!

Reconnaissance, or information gathering, is a crucial phase in finding vulnerabilities because it lays the foundation for a successful…