Posts

Showing posts from December, 2019

XSS like a Pro

Image
Hello Friends,

I'm gonna share my interesting finding here.


Recently, 
About two months ago, I received a private invitation on Bugcrowd and the next day I started to look for bugs on that website because there was only one target (testing site) in scope and they provided me some credentials.

I can't disclose the site name, so let's assume https://redacted.com

First of all, I logged-in to that site (redacted.com) with the provided credentials and inspected the site around 15 minutes and tried to understand it.

After that, I started to look for bugs and found multiple bugs mostly stored XSS. At that day, I had found a total 11 vulnerabilities. I reported them and received a bounty on each report. So, I'm not disclosing the bounties. Also, I'm not sharing my all findings but some.

So, 
At the beginning, I tried to change my default password and successfully changed my password to '1' which was the first bug that there is no password policy. After that, I checked some…