Bug type: Stored Cross Site Scripting (XSS) and HTML Injection.
Hey Everyone!
I have recently started my vulnerability disclosure journey and this is my first write-up (many more to come. PS: Pray for me ). Instead of directly jumping into Bug bounty platforms I was looking for targets (Mostly the low hanging fruits to boost my confidence) through google dorks and saw a web application having a self-hosted vulnerability disclosure program. I cannot reveal the name of website as the issue is not resolved yet.
I decided to go manually exploring the website. I checked the login page and then moved to the signup page. As you can see (figure 1) the Signup page has four input fields including (E-mail, password, First name, last name).
As a general practice I always try to inject a HTML payload to see if the website is allowing any HTML tag or not (Stored HTML injection). I used the very basic payload <i>vamp</i> in First name and Last name and clicked on Signup.
Boom! My name was showing in Italic font (Figure 3). Stored HTML injection confirmed.
The next step was very obvious i.e to check for the Stored XSS vulnerability, I logged out, moved to the signup page and tried with the basic payload i.e <script>alert(1)</script> but nothing popped up. I checked the same by capturing the request with Burp Suite and no tags were stripped in the response too (Figure 4). So there was no issue with WAF and balancing of payload was also correct as the same was working fine during HTML injection.
Tried different payload this time Payload:<iframe src=javascript:alert(2)> and got the pop up (See the variety is important). Stored XSS confirmed.
Then I Prepared the POC including report & recordings, forwarded the same to organisation and hopefully I will get the acknowledgement very soon (The least i can expect for now).
Thanks a lot for reading! Stay Curious Stay Protected !!
