Finally I Got My First XSS

Hi, I’m Rohmad and I’m a Bug Hunter. So in this post, I will discuss, how I discovered my first Stored XSS vulnerability on one of the government websites.

Finally after 15x getting information disclosure, this time I got a different type of vulnerability.

That day I was hunting in one of the bug bounty programs, and when I looked at the clock, it was 3pm. After that I took a break to drink and eat a little snack, while waiting for 4 pm (because at 4 pm it’s time to take a shower haha), and I was relaxing, then it just occurred to me to hunt on one of the government websites, let’s say redacted.com

I immediately jumped to the second stage, namely enumeration to find the target subdomain, I looked for the subdomain using a website-based online subdomain finder tool,

and I immediately tried the subdomains one by one and arrived at the subdomain blog.redacted.com

On this subdomain, the content was very diverse, then when I scrolled down I saw there was a news feature, and I opened the news with the aim of looking for a comment form, when I got to the bottom it turned out to be true, I saw there was a comments form, then I immediately tried to enter simple payload like:

<script>alert(“payload success”)</script>

And a pop up automatically appears showing the words payload successful,

Which means the payload was successfully executed and stored in the website database. then I tried closing the browser and turning off my laptop, then opening the website again on my cellphone. And when I opened it a pop up appeared as I explained earlier. Why? because it is a type of stored xss, the person who can delete the payload means the person who has the highest access rights, namely the admin.

Yes that’s all my experience of finding stored xss vulnerabilities and thank you.