So I started to participate in bug bounty programs not so long before, and soon I found at least 2 places are vulnerable for stored XSS on a (quite big, I believe? They have many users and having some big banks and firms being their partner.) website which helps users to learn coding.
The website’s dashboard enable users to submit thier details without being filtered. XSS payloads can be added into the Boxes to triggered XSS on the browser of any users visiting the user profile
How I Discovered The Stored XSS
On this very day, I logged into the platform, because the platform is a learning ground, so I wasn’t in the mood to start looking at video tutorial nor to read anything cause the course in my list out table seems bulky.
So instead of learning, I said let me even test some of my bug bounty skills on this platform, first I looked for any reflected XSS entry points like searching function on the website and improper error messages displayed.
And I had no luck 😦 . But sometimes misfortune is a blessing in disguise.
After digging a well, Soon I found that I can leave something on the profile dashboard :
Because the user profile has an option to edit ,add your bio, add some texts, so I wrote somethings, and I started with >< and I was like this is my fish, I have to catch and roast it.
So I didn’t even stress myself, I got the common payload which is <script>alert(1)</script> , I inserted this payload into the bio box and I saved it and the bio box when blank.
Not that the payload isn’t there but the website functionality made it looks like a white text, so immediately I refreshed the page and boom!!!.
The stored XSS triggered, Damm I was so happy, you know that feeling when you get your first Stored XSS.
But the anxiety in me made me report without thinking of some way to make the bug more complex and dangerous.