In April of this year, I found a Stored Xss vulnerability at University of Utwente. However, I later realized that there was a vendor of the vulnerable system, and I contacted them. Then they fixed this vuln. and rewarded me with a $$$ bounty. Also this was my first bounty. I don’t say the company that produced the system because they want to remain confidential.
I discovered XSS with a simple payload execution in the “First Name” input. But I thought this vuln was a Self XSS. Because all pages were private for every user (except for one page). Then I saw that the password recovery page also contains user First Name value.
I type a payload in the “first_name” input
but the system always encodes the payloads on Profile Page.
Profile Page was not public anyway. Not bad luck!
I believed XSS was no longer possible. But there is one last place, “Password Recovery Page”, Moreover, it reflects the user’s “first_name” value to the page.
I just created the page with the request to create a Password Recovery Page. The system not encode the payload on this page. So payload was executed!
The end :
9 April 2020 - Report sent
10 April 2020 - Scenario requested
13 April 2020 - Report’s scenario sent
14 April 2020 - I awarded a $$$ bounty