Photo by Miguel Orós on Unsplash

My first bounty (stored-xss)

Hi i’m Karan sharma. My first bounty was based on stored-xss, let’s talk about it.

So i’m very new to bug bounty and I actually started hunting on paid targets a month ago via hackerone.

I picked a private target based on actual application’s functionality, as I suck at reconnaissance.

How I found the xss

I was testing as usual, getting familiar with different features of application.

But there was this feature where user can create hierarchal steps and can link those steps with other functions like displaying date and other stuff…

There was one more interesting feature where user can import & export the steps in form of XML files.

So I created some steps and exported it.

In XML file, each steps was a tag and bunch of metadata… I tried the classic xss payload but It breaks the XML formal.

Now what!!? Then I thought about encoding the special characters so it won’t break the structure; i.e. < will be &lt;

So final payload will be &lt;img src=x onerror=alert(document.domain)&gt;

After importing the XML file with payload, huh! It won’t trigger 🧐

At least not on same page, It actually triggered on different page where user can print the whole steps.

Scenario: Now attacker (any member with just import/export permission) can import the XML file and send the link of print-page to other members / victims including ADMIN (owner).

reward: $1000

I brought something with my first bounty, check it out here:

MacBook Air M1

A big thanks to some the people from #infosec community, these guys help me stay motivated:

hunter0x7, HusseiN98D and two friends of mine 🎃

Thank you for reading!




a compSci student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Privacy-Friendly UX: Switching From Company-Centric To Human-Centric Approach

Secure Backup and Storage (Part 1/3)

{UPDATE} Baby Hazel Be Hack Free Resources Generator

Mainnet Wallet #THXCHAIN Intro

Why Ring Doorbell Not Connecting To Wi-Fi And How To Fix It?

Major release, including MetaMask wallet connect, Notifications, Twitter username claiming and more!

{UPDATE} Word Maestro Hack Free Resources Generator

TOP Technical Spotlight | Consensus Mechanism: Service Chain (Part 2)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


a compSci student

More from Medium

DIVA application walkthrough

Intigriti — XSS Challenge — February 2022 — Bug Bounty Hunting — Writeup

Journey to the first 2 CVEs

Portswigger Labs — Reflected XSS 3