How This $999 XSS Bug Bounty Was Found in Just 17 Minutes
1 min read
Summary
The authors experienced success in finding a stored XSS vulnerability on a target website in just 17 minutes, for which they received a $999 bounty.
XSS vulnerabilities allow malicious actors to hijack user sessions and perform unauthorised actions.
Stored XSS vulnerabilities are particularly dangerous as the malicious script is stored on the target website’s database, and is executed every time an unsuspecting user loads the affected page; they are like planting a digital time bomb.
The authors used a simple, novel technique utilising the pattern attribute, in combination with the oninvalid event handler, which resulted in the input always being invalid, and thus triggering the payload.
The key lessons are never to trust hidden fields, client-side security is not actual security, and validate on both the client-side and server-side.