How I stumbled upon a Stored XSS(My first bug bounty story).

Hello bug hunters,this is my first story so pardon my English.

I found this bug a few months back.I am grateful to the community as I have learned every damn thing from the community.I found this bug in Edmodo as who doesn’t want a swag for showing off in front of friends :).So Lets start the story.

So the first step was reading what others have found so I save my time not to find them and I realized most of the bugs were reported by them.I was a bit disappointed but I had decided to find a vulnerability.So I started visiting the website and inserting XSS payloads in almost any and every input field but nothing popped up,checked for csrf,idor but all of them failed I was like

It was late at night I thought of quitting and going to sleep I decided to test for last functionality of adding students in a group created by teacher.So i added XSS payload in first name and last name of the student and added it.As usual nothing happened.I was frustrated af.I decided to delete my account and everything and quit the target.So I started from deleting the student created from XSS Payload and BAAMMM! I got alert payload.I wasn’t able to believe I got my life’s first alert box.

I was very happy as I got first valid bug of my life.I wasn’t able to sleep properly.I immediately made a POC video and sent to the team.They were very responsive.After few weeks I recieved the swag

PS: This bug wasn’t intentional but the amount of hard work and time I put in the website made it worthy.

Takeaways:-

  1. Always dig deeper in web application.There is always something fruitful.
  2. Always check each and every functionality and input.
  3. Main thing is never give up,I was going to give up and I found this.

Thank you for reading this.Focusing now more on reward based programs.Any suggestions are welcome.