The Story Of A Sweet XSS

Hi wonderful ppl, hope you are doing good. This Gnana Aravind with another write-up. As I was busy with some personal stuffs, I was not able to be consistent here. So here we gonna make a short discussion about a recent finding of sweet XSS. I appreciate my friend Centurion for this finding. Okay lets get deep dived.

About the Bug

So the target was an academy site which had a comment session. As I found an XSS already in the website, I thought of testing XSS in every end points. So the steps I followed are as simple as this.

  1. Go to comment section of any course in sub.domain.com

2. Click add Question/Comment and Enter the Payload: <img src=x onerror=alert(document.domain)> or <script>alert(document.domain)</script> on Question title Tag and click Post question

3. Now edit the comment and click save.

Triggered XSS

WHOOLA ! A sweet XSS is triggered here. Never get tired of hunting bugs, stay consistent and keep working hard. Bug Bounty = smart work + luck, as of my experience. Am in an idea to provide Bug Bounty Tips and More Hacking Tips in my Twitter handle. Do follow and support there -> @gnana_aravind07.

Join our community and start growing your career. We conduct regular tech events there. Follow and Connect here -> Cyberonics Insta handle -> @cyberonics_official.

See you in another blog guys, stay safe and keep hacking.

#infosec #bugbounty #cybersecurity

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store