How I Made $1,200 by Finding a Hidden XSS in a “Secure” Web App (Full Walkthrough)

How I Made $1,200 by Finding a Hidden XSS in a "Secure" Web App (Full Walkthrough) | by Sukhveer Singh - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Made $1,200 by Finding a Hidden XSS in a "Secure" Web App (Full Walkthrough) Most people think Cross-Site Scripting (XSS) is beginner stuff. Sukhveer Singh Follow ~3 min read · March 29, 2026 (Updated: March 29, 2026) · Free: Yes Something you learn… practice on labs… and then move on. I used to think the same — until one small parameter made me $1,200 . This is the exact story of how I found a real-world XSS vulnerability inside a production web app that looked completely secure . 🚀 The Target: A "Hardened" SaaS Platform I was doing my usual recon on a SaaS-based dashboard platform (let's call it): https://app.secureflow-analytics[.]com Everything looked clean: CSP headers present WAF enabled Input filters active At first glance → not worth time But experience taught me one thing: "If it looks secure… dig deeper." 🔍 Phase 1: Recon & Parameter Discovery Instead of random testing, I focused on parameter mapping . After crawling and manual exploration, I found an interesting endpoint: https://app.secureflow-analytics.com/dashboard/export?format=pdf&redirect=https://reports.secureflow-analytics.com/view?id=72819&user=guest That redirect parameter caught my eye. Why? Because: It handled URLs It reflected external input It interacted with another subdomain Perfect candidate. 🧪 Phase 2: Initial Testing (Reflection Check) First test: https://app.secureflow-analytics.com/dashboard/export?redirect=test123 Response contained: Download Report Boom. Reflection confirmed. Now the real game begins. ⚔️ Phase 3: Payload Injection Tried basic payload: Blocked. Tried encoded payload: %3Cscript%3Ealert(1)%3C/script%3E Still blocked. Clearly: Input filtering active Basic payloads useless Time to go deeper. 🧠 Phase 4: Bypass Strategy Since it was inside an href , I tested breaking out: javascript:alert(1) Payload: https://app.secureflow-analytics.com/dashboard/export?redirect=javascript:alert(1) Click → ❌ blocked So I shifted approach: ➡️ Try attribute injection Payload: " onmouseover="alert(1) Encoded: %22%20onmouseover%3D%22alert(1) Final URL: https://app.secureflow-analytics.com/dashboard/export?redirect=%22%20onmouseover%3D%22alert(1) 💥 Phase 5: Exploitation Rendered HTML: Download Report That's it. Stored in response. No sanitization. Hover → alert triggered. ✔️ XSS confirmed ✔️ Bypass successful ✔️ Real impact possible 🧨 Phase 6: Impact Analysis This wasn't just a popup. Because: It was inside an authenticated dashboard Users regularly clicked export links Could easily inject malicious JS Possible impact: Session hijacking Credential theft Phishing injection Account takeover 📩 Phase 7: Reporting the Bug I submitted a detailed report including: Affected endpoint Full PoC URL Payload explanation Impact scenarios Suggested fix Within 24 hours , I got a response: "This is a valid XSS vulnerability. Thanks for the detailed report." 💰 The Result A few days later: 💸 $1,200 bounty awarded Not for a "complex exploit"… but for thinking deeper than basic payloads . 🧠 Key Lessons from This XSS XSS is NOT dead → It's just harder to find Basic payloads won't work anymore → Learn context-based injection Reflection is everything → Always confirm before exploiting Think like a browser, not a hacker → Understand how HTML is parsed Small parameters = big money 🔥 Want to Learn XSS Like This? If you're serious about bug bounty and want to go beyond basics: 👉 Free resources & community: https://t.me/bugitrix 👉 Learn step-by-step XSS (Beginner → Advanced): https://www.bugitrix.com/blog/fundamentals-basics-4/cross-site-scripting-xss-guide-45 👉 Explore cybersecurity learning platform: https://bugitrix.com 🚀 Want Personal Guidance? If you're stuck and want direct clarity: 👉 1:1 Mentorship Session: https://docs.google.com/forms/d/1jthyuqt8XEmnAyUylsgcT8J0XCf8XLDTf5yt9IegW9Y/edit 👉 Build / Fix Resume & LinkedIn for Cybersecurity: https://docs.google.com/forms/d/1aAxZ1V88fcE0iDLT_w9ZZlNEyjA0WGWU_5dJCxzhERY/edit 🧩 Final Thought That $1,200 didn't come from luck. It came from: patience deeper thinking and not quitting after the first "blocked" payload If you're still trying random payloads… You're not hunting bugs. You're hoping. #bug-bounty #bug-hunting #cybersecurity #earn-money-online #stories Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).