How I find Stored Cross-site Scripting on Redact.com
Hello guys, I hope all are well. I am back with another findings.
This time I get multiple Stored XSS on a single program. Last time I posted a Stored XSS finding. Same target is concentrated. After I look at one endpoint. That endpoints ask for company details for advertisement purposes.
I enter normal text I simply review our data reflected anywhere on this site. After I view 7+ parameters are reflected in other endpoints. Then I enter “><h1>Test</h1> normal payload. 7+ parameters are affected. Then I go to enter XSS payload “><img src=x onerror=alert(‘xss’)>. Javascript alert() are fired.
This XSS only visible to my account, not for the public. Then I want to increase impact. After One hour I get one lead. I can able to share my profile with the public view.
This time any users view my profile page. He/she is affected by Stored XSS.
In a similar way, I get 5 more Stored XSS bugs in different endpoints.
I reported these bugs. I get a $$$ bounty.
Thank you & stay curious.