Hi i’m Karan sharma. My first bounty was based on stored-xss, let’s talk about it.
So i’m very new to bug bounty and I actually started hunting on paid targets a month ago via hackerone.
I picked a private target based on actual application’s functionality, as I suck at reconnaissance.
How I found the xss
I was testing as usual, getting familiar with different features of application.
But there was this feature where user can create hierarchal steps and can link those steps with other functions like displaying date and other stuff…
There was one more interesting feature where user can import & export the steps in form of XML files.
So I created some steps and exported it.
In XML file, each steps was a tag and bunch of metadata… I tried the classic xss payload but It breaks the XML formal.
Now what!!? Then I thought about encoding the special characters so it won’t break the structure; i.e. < will be <
So final payload will be <img src=x onerror=alert(document.domain)>
After importing the XML file with payload, huh! It won’t trigger 🧐
At least not on same page, It actually triggered on different page where user can print the whole steps.
Scenario: Now attacker (any member with just import/export permission) can import the XML file and send the link of print-page to other members / victims including ADMIN (owner).