.png)
1 day ago
13 BOOK THIS SPACE FOR AD
ARTICLE AD
Web applications often come with complex workflows, and occasionally, vulnerabilities slip through the cracks. This is the story of how I uncovered a Cross-Site Scripting (XSS) vulnerability while exploring the change email functionality on a website.
While browsing a web application (let’s call it redacted.com for privacy), I created a fake account to test the website’s features and see if it had any exploitable vulnerabilities. As I navigated the site, I noticed an option to change the email for the account. Curious, I clicked on it and observed something peculiar in the URL.
The URL for changing the email looked like this:
https://redacted.com/user/959098/edit?secop=The secop= parameter immediately caught my attention. Parameters like this often hold significant clues—they can be entry points for potential exploits. My instinct told me to investigate further.
To better understand the behavior of this parameter, I created a unique marker, MICK19J, and added it to the secop parameter. This helped me track it in the application’s source code. My modified URL looked like this:
https://redacted.com/user/959098/edit?secop=MICK19JI then searched for MICK19J in the page source, and voilà! This is what I found:
<a href="/user/959098/edit?secop=MICK19J&locale=en_US">At this point, I knew the parameter’s value was being directly reflected in the HTML without proper sanitization or encoding. This was the golden ticket for testing an XSS payload.
I replaced MICK19J with a simple XSS payload to trigger a pop-up alert. The URL became:
https://redacted.com/user/959098/edit?secop=MICK19J%22%3E%3Csvg%20onload=alert(%27XSS%27)%3EWhen I visited this modified URL, the payload executed successfully, displaying the familiar alert('XSS') pop-up in the browser.
Screenshot:
After confirming the vulnerability, I reported it to the website’s security team, including all the following details:
Steps to reproduce the issue.The affected URL.The payload I used.Screenshots of the reflected parameter and the successful alert box.This experience reinforced some important takeaways:
Always scrutinize query parameters. They can reveal how the application processes user input.Test safely and responsibly. Always use fake accounts and avoid testing with real user data.Report vulnerabilities promptly. Responsible disclosure helps protect users and improves overall web security.As I write this, the security team is reviewing the report. I hope this vulnerability will be addressed quickly to prevent potential exploitation.
Hunting for vulnerabilities is both a science and an art. It requires curiosity, patience, and a thorough understanding of how web applications work. This discovery was not just a win for me, but also a win for the site’s users, whose data will be safer once the issue is patched.
If you’re an aspiring ethical hacker, remember that every small clue in a web application could lead to something significant. Keep learning, keep testing, and always act responsibly.
Bengali (Bangladesh) · 
English (United States) ·