How I stumbled upon a Stored XSS(My first bug bounty story).

Parth Shah
Jan 4, 2019 · 2 min read

Hello bug hunters,this is my first story so pardon my English.

I found this bug a few months back.I am grateful to the community as I have learned every damn thing from the community.I found this bug in Edmodo as who doesn’t want a swag for showing off in front of friends :).So Lets start the story.

So the first step was reading what others have found so I save my time not to find them and I realized most of the bugs were reported by them.I was a bit disappointed but I had decided to find a vulnerability.So I started visiting the website and inserting XSS payloads in almost any and every input field but nothing popped up,checked for csrf,idor but all of them failed I was like

It was late at night I thought of quitting and going to sleep I decided to test for last functionality of adding students in a group created by teacher.So i added XSS payload in first name and last name of the student and added it.As usual nothing happened.I was frustrated af.I decided to delete my account and everything and quit the target.So I started from deleting the student created from XSS Payload and BAAMMM! I got alert payload.I wasn’t able to believe I got my life’s first alert box.

I was very happy as I got first valid bug of my life.I wasn’t able to sleep properly.I immediately made a POC video and sent to the team.They were very responsive.After few weeks I recieved the swag

PS: This bug wasn’t intentional but the amount of hard work and time I put in the website made it worthy.

Takeaways:-

  1. Always dig deeper in web application.There is always something fruitful.
  2. Always check each and every functionality and input.
  3. Main thing is never give up,I was going to give up and I found this.

Thank you for reading this.Focusing now more on reward based programs.Any suggestions are welcome.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store