How I caught Multiple vulnerabilities in, But not rewarded for serious XSS vulnerability :(


This is Satyendra Shrivastava (Independent cybersecurity researcher)

Today I’m going to tell you a story of finding a bunch of bugs in and bugs are like XSS (Dom based XSS), HTML injection, clickjacking and broken authentication in the homepage of

So let’s begin the story

One day I was in the computer lab of my college and normally all the students were studying their subjects and I’m a security researcher so that’s why I was busy with my stuff. means Hacking LOL! :)

I was looking for some bugs in the random websites and suddenly I thought I need to gain more knowledge about Hacking then I started searching for hacking courses on the internet and fortunately I entered in and searched for bwapp training course but there were no courses for me :(

and then suddenly I had a thought in my mind of testing for XSS and I inputted in searchbar a simple JavaScript payload -


Unfortunately, there is no response till now :(

After some time I tried one more javascript payload that is -

<img src=1 onerror=alert(document.cookie)>


I got a popup with the cookie reflection

I and my friends were like this –

And now I was not staying cool I was so happy and continue to look for some more and tried an HTML injection code.

payload is —

<h1><marquee>Udemy has beeen hacked</marquee></h1>

Once again BOOOMM!!!

That day my luck was like this –

And then my curiosity level is on peak :)

I needed some more then again, I am started fighting with

Once again, I got a click-jacking.

I tried one more time and got a broken authentication it allows a attacker to brute force the coupon code field.

Now I was satisfied with that last vulnerability I finally reported all the bugs to Udemy.

But here my luck was not with me because I got XSS as out of scope from the program I was socked

And also broken authentication is got duplicate.

But still, remaining bugs (HTML injection, potential click-jacking)are triaged so finally I’m happy.

Status — Fixed