First bounty — Second Order Stored XSS on club.paris2024.org

Hello, bug bounty hunters and ethical hackers! Today, I want to share the story of the first vulnerability I discovered that earned me a bounty. Before we dive into the details, let me give you some background on the target. The application I worked on is club.paris, which is involved in organizing the Olympics that took place in Paris last year. I received an invitation to participate through the YesWeHack program.

When I got the invite, I was eagerly waiting to earn around 10,000 rupees for an important event that was happening in May. However, I had little time, as it was already mid-February. Even though I had a salaried job, most of my expenses were already accounted for. Fortunately, I discovered this vulnerability, which helped me achieve my goal and prepare for the event in May.

This experience was incredibly motivating, and I am thrilled to continue pursuing bug bounty hunting each year!

So before going how to identified this vulnerability i just want you to let you know about second order xss. Second-order XSS occurs when malicious payloads are stored by the application but are not immediately executed. The script is triggered only later when the stored data is rendered or processed by the application, often after being viewed or interacted with by another user or on a different page. Hope this is clarified now.

steps to reproduce the vulnerability:

As usual, I began exploring the application at https://club.paris2024.org/en/home. While filling out the registration form, I came across a field where users typically enter a random date of birth. In the past, I had made the same mistake, but this time, I decided to try a different approach. For the Date of Birth field, I entered February 27th, 2002, which was one day after the actual date. Along with that, I injected the following payload in the First Name and Last Name fields:
"><img src=x onerrora=confirm() onerror=confirm(1)>.At first, everything seemed fine. I didn’t get any pop-up, and the details were saved without any issues. I completed my testing, finding nothing unusual, and then headed to the office to continue with my work. Later, when I returned to my PG, I suddenly received an email with a “Happy Birthday” message. The email instructed me to click the link to view it in a browser. I clicked on it immediately, and the site redirected me to https://view.contact.paris2024.org, where a pop-up appeared. At that moment, I was confused, as I hadn’t expected this. I had entered the payload with ‘1’ in many fields, but it didn’t click for me right away. After a while, I finally understood what had happened.

This is how i got my first bounty why i am writing the report now is just to confirm in future when ever you are testing nay application instead of random dob try to give the next day one who knows what ran in developer mind.

To simplyfy the above here are three steps.

steps to reproduce:

Go to the site https://club.paris2024.org/en/home and click on login.In the every input field add this xss payload "><img src=x onerrora=confirm() onerror=confirm(1)>In the date of birth field provide todays DOB like I have given Feb 27th 2002 so that you will get an email from the club Paris like below screenshot. open in browser you will get popup

Apologies if it was more theoretical this time, but I believe it’s definitely worth reading. One thing I want to confirm is that when your intentions are good, everything eventually aligns and finds its way to you.

Special Thanks:

Lastly, I want to take a moment to thank a very special person whom I met on September 30, 2022. I want you to know how much your existence means to me. Thank you for being you.