My First 4 Digit Bounty Tragedy ($1125) : Stored XSS

Hello Hunters, This is my FIRST Medium Article covering the Story of my FIRST 4 Digit bounty which was FIRST marked as a Duplicate but later found out to be a Unique submission after a long span of 25 days and also got gifted with a PentesterLab Pro Subscription for 3 months.😎

I’m very much excited to share this story or so called a TRAGEDY, with you all guys! 😂

Let’s Begin…

Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS are the most dangerous of all. To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web application and then inject malicious script into its server.
Unlike Reflected, The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.

Summary:

The Vulnerable Web Application was a Content Management System (CMS). The Web Application had a Login/Signup feature and “Username” was considered as a Unique parameter for all Users, i.e. No two users can have the same Username.

To summarize, The “Username” input field was the injection point for malicious script and the script exploitation/execution point was another endpoint which was publicly accessible to all Users.

Steps Followed:

  1. After Registering for the Web application, Head to the “Edit Profile” Section.
  2. In the “Edit Profile” Section, there was a “Username” input field which wasn’t sanitized.
  3. Injected a simple and everyone’s favorite payload as “><script>alert(1);</script> in the “Username” field and Saved the Changes.
  4. Reload the Page and a beautiful POP-UP appears confirming the execution of script.

WAIT A MINUTE…. ISN’T THIS A SELF XSS? 😳

For now, YES

BUT…I was testing on a Staging environment. So, Bugcrowd Team then reproduced the finding on the Production Environment and confirmed that the script injected in the “Username” was executed at an Endpoint which was publicly accessible to any user. So, it was marked as a P2 with category as, Cross-Site Scripting (XSS) > Stored > Non-Privileged User to Anyone.

BUT A DUPLICATE!! 😭

Sad, isn’t it? This is how I felt… 😪

After a Few days, I got a mail from Bugcrowd saying that My Report was identified as a Great Quality Report and I was gifted a 3 month PentesterLab Pro subscription.😍

I was very much happy as my work was appreciated. It seemed that my efforts were paid off.💯

Little did I know, there was a BIG Surprise ahead…💰

After 25 days, I found out 2 more Stored XSS on “FirstName” & “LastName” parameters. I submitted reports for both of them for the same, “Edit Profile” Section.

I didn’t realize that the scripts at “Username”, “FirstName” & “LastName” can also be injected at Registration Endpoint.🤦‍♂️

So all 3 reports were on the same “Edit Profile” section Endpoint and as I had already submitted for “Edit Profile” section Endpoint, both “FirstName” & “LastName” submissions should have been marked as “Not Applicable”.

BUT THEY WERE NOT!

The submission for XSS at “LastName” was marked a duplicate of “FirstName” XSS submission and this submission was forwarded to verify.

I was in a doubt that, “FirstName” XSS submission should have been marked as Not Applicable because I had already submitted “Username” XSS submission at the same “Edit Profile” section Endpoint, then why it was considered for verifying?

Then after revisiting my “Username” XSS submission, I realized that the submission was marked as a Duplicate of another “Username” XSS submission but at Registration Endpoint whereas my submission was for “Edit Profile” endpoint.😮

So I decided to trap up the triager to make him realize this mistake and commented on my “LastName” XSS submission with change in Injection Endpoint and updated the Endpoint to “Registration” Endpoint, to which the triager responded saying that Registration Endpoint was already reported by another researcher. Then I asked him that If a submission is reported for Registration Endpoint and most probably it is the “Username” XSS submission then why was my earlier submission marked as a duplicate when it had “Edit Profile” injection endpoint.

Later, He realized this mistake and updated my 1 month old “Username” XSS submission for which I was rewarded with my First 4 Digit Bounty ($1125).😍

To be honest, I am thankful to the triager for making this mistake else I wouldn’t be gifted with the PentesterLab Pro Subscription. 😂

That's all for my FIRST Article, I Hope you guys enjoyed this form of learning ❤

Stay Safe 🤗

My LinkedIn: www.linkedin.com/in/shrirangdiwakar

Follow my Instagram Creator account for more Bug Bounty & Ethical Hacking related content : https://www.instagram.com/shrirangdiwakar/

Thanks Raj Kaste & Ankit Sharma for helping me out 😊

Co-Founder at Knock Security Solutions | Ethical Hacker | Bug Bounty Hunter | Content Creator | Ideator