LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

How I Found My First Bug Stored Xss and Earned My First Bounty 1000$

4 years ago 175
BOOK THIS SPACE FOR AD
ARTICLE AD

Hi guys ,

This is Nazmul Haque a Newbie security researcher from Bangladesh.This is my 1st write-up and also I am not good at XSS so forgive all mistakes.

It was 11/18/2019 and my 1st day of bug hunting.I’m still newbie!

Today I am gonna to Share a Stored Xss vulnerability what was reported by me to Badoo Security team in their Bug Bounty Program in Hackerone.

So as usual i was created an account in Badoo and Visit a user profile and send message with xss payload.

Image for post

Image for post

So I input a Normal payload :-

“><img src=x onerror=prompt(document.cookie)>

After message sent successfully i clicked on chat now option and i got this Response.

Image for post

Image for post

I reported this issue in NOV 18th. Report Triaged within 2 Hour and they paid me 1000$ for reporting this within 6 hour.

Image for post

Image for post

Video POC: https://www.youtube.com/watch?v=RgGz2z5bFBk

Thanks for reading . Happy Hunting .

Twitter: Nazmul Haque

Facebook: Nazmul Haque

LinkedIn: Nazmul Haque

Read Entire Article
  3. How I Found My First Bug Stored Xss and Earned My First Bounty 1000$

Related

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

$3 Billion Crypto Exchange XT Allegedly Hacked

$3 Billion Crypto Exchange XT Allegedly Hacked

Hackers Steal $17 Million from Uganda’s Central Bank

Hackers Steal $17 Million from Uganda’s Central Bank

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs!

All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs!

Trending

1. The Sabarmati Report
2. Amitabh Bachchan
3. Hunter Biden
4. Yeontan
5. Odisha Police Constable Admit Card
6. Sundar Pichai
7. Avadh Ojha
8. Skoda Kylaq
9. Shalini Passi
10. Suraksha Diagnostic IPO GMP

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved