A tale of Stored XSS #BugBounty

Welcome, All :)

In this first write-up, I’ll try to explain every step so that you can understand the methodology in a more detailed way.
The website I was hunting was sportskeeda.com(I asked them for public disclosure)
Let dive into the bug, How did I find stored XSS.

HOW DID I FIND?
So immediately after doing recon, I started trying to find XSS & tried several XSS payloads in most of the parameters but the application was filtering everything properly. Used several methods & different combinations of XSS nothing worked. So I thought why not let’s try to bypass it.

So immediately I started understanding the filtering process & started crafting XSS payloads based on the filters & I thought this will work & tried all possibilities, ended up with frustrations & looks like all in vain.

I thought to give up with XSS but on the same time I noticed there is one more feature which is yet to be tested immediately I started testing twitter & Facebook profile adding feature & instead of adding link I tried with simple XSS payload & what happens next is a dream of every hunter “XSS pop up” :)

Payload I used : “><script>prompt(document.domain)</script>
So finally, I found stored XSS as the profile can be publicly accessible so any user who visits the vulnerable profile will trigger the XSS.
Happy Ending 😁

TakeAway
Never give up, always try to understand the application workflow & deep dive into the app.

The Company fixed the issue immediately & rewarded Bounty.

Hope you all liked it.

Thanks for reading :)

Instagram: https://www.instagram.com/warrior.hacker/

Linkedin: https://www.linkedin.com/in/lavcyberboy

Twitter: https://twitter.com/warri0r_hacker