Story of Stored Xss

Walid Hossain
Nov 28, 2018 · 2 min read

Hi guys!!

Walid Hossain a bug hunter and web penetration tester from Bangladesh.This is my first write up to the medium community!I am sharing a write up about one of my recent finding(stored xss).

So when the Stored Xss occurs???

@@Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.

Someday ago on twitter I read about a tip about xss !!That is : always put something before the xss payloads. Like TEST”><svg onload=alert(1)// And when you start finding for The TEST word.the xss should be fired( if not properly filtered).And I was like-

I was like

That time I was looking to a private site.And thought why not give it a try???So I started looking into this!!lets say the web app name

I have created two accounts on while doing that I have set the display name as TEST”><svg onload=alert(1)// and created account. Now what??? I have started typing the name on search bar and BOOM! xss fired up !! I was really surprised that the input was not filtered and tip worked as Hell!Again I was like


Then honestly I did not think much and reported the issue to the private program!After two days they replied and marked it as wont fix saying self xss because victim could not find attackers name on the search bar thus victim only can attack himself.As I did not thought much about the issue.I was like:

Then I thought about how we can attack victim with this???I tried to understand the functionality of the after spending a day I understood that

  1. If user1 is following user2 then user2 will appear on user1s search bar
  2. if user1 is not following user2 then will not appear!

And I have set the attack scenario like this:

  1. Attacker set his display name as Attacker1"><svg onload=alert(1)//
  2. Now Attacker1 is following victim1
  3. Victim1 got interested and also followed Attacker1
  4. Victim1 wanna see Attacker1 profile.So he start typing on Attacker1 on search bar
  5. BOOM! XSS should be pop out in victims browser!!

And I have submitted with all of this.after someday one of the analyst traiged my report saying Thank you for a detailed POC N00B-Walid.I was like:

So thats the story of stored xss.Please pardon my any mistake as this is my first write up!And I am no one comparing any of the guys out there.thank you!

Issue found: 15 november

Submitted : 15 november

Marked wont fix: 21 november

traiged: 25 november

bounty awarded:26 november

Best regards,NOOB-Walid

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store