A penetration tester discovered a critical vulnerability chain in a hosting provider that allowed subdomain takeover without DNS verification. The vulnerability stemmed from missing email confirmation during registration, IDOR in support tickets, and improper CloudFlare delegation architecture that allowed creating and controlling arbitrary subdomains of delegated domains.
Stored blind XSS vulnerability in Telegram iOS app allowing arbitrary HTML/JavaScript execution via unvalidated HTML files in webview, enabling device fingerprinting, user activity tracking, and IP geolocation. Successfully exploited by uploading malicious HTML file that executed JavaScript to extract navigator object data and communicate with attacker server.
Security researcher disclosed multiple stored XSS vulnerabilities on Tokopedia's platform, including XSS in product complaint descriptions, shop location parameters, AngularJS template injection in product etalase names, and blind XSS in the Tokocash customer service system. All vulnerabilities were originally reported in 2018 and have since been marked as valid by Tokopedia.
Researcher chained IDOR and stored XSS vulnerabilities to achieve account takeover on all users by injecting malicious JavaScript into a shared element, and separately discovered blind XSS in an invoice generation feature that exposed customer data in the admin panel. Both findings resulted in $3,500 bounties each.
A bug bounty hunter demonstrates chaining self-XSS to blind XSS in an admin panel via HTML entity encoding bypass, then discovers a reflected XSS on an undiscovered subdomain using KNOXSS payload analysis, earning $700 total. The writeup focuses on practical payload techniques and methodology rather than detailed technical analysis.
A company was compromised by chaining an IDOR vulnerability in a support ticket API with a blind XSS vulnerability in the internal ticket management system. The attacker leveraged blind XSS to extract ticket IDs (which were otherwise hard to brute-force), then used IDOR to access a password reset ticket from Slack that contained registration links to company channels.
A bug bounty hunter discovered LDAP injection vulnerability while testing for blind XSS on a registration form; the application was vulnerable to LDAP injection despite having a .NET WAF in place, with the error message revealing LDAP directory pathname errors that enabled exploitation.
A researcher discovered a blind stored XSS vulnerability in a form-building service by bypassing quote filters using the javascript: URI scheme merged with legitimate URLs, allowing arbitrary JavaScript execution on admin pages. The technique leverages acceptance of alternative URI schemes (javascript:https://) combined with rendering in anchor tags to inject payloads that execute when accessed by form creators.
Walkthrough of discovering a blind XSS vulnerability using XSS Hunter and Burp Suite by injecting a malicious payload into the Referer header, which was stored and later executed when accessed by administrators or logged-in users.
A bug bounty hunter discovered a blind XSS vulnerability in a company's support panel, used XSSHunter to capture a victim's cookie, and impersonated the user to gain unauthorized access to an internal admin system.
A bug bounty writeup describing the discovery of a blind XSS vulnerability in Apple's systems. The original article is inaccessible via the provided cache link, so technical details cannot be verified.
A researcher discovered a blind XSS vulnerability in GoDaddy's internal customer support panel by injecting XSS payloads into user profile fields (first/last name), which executed when support agents accessed the CRM system. The vulnerability allowed arbitrary actions on customer accounts including domain transfers and account deletion, demonstrating how data poisoning can compromise backend systems drawing from shared data stores.
A blind stored XSS vulnerability was discovered in Google's Invoice Submission Portal on gist-uploadmyinvoice.appspot.com by bypassing front-end PDF file validation through content-type manipulation, allowing arbitrary HTML/JavaScript execution when invoices were viewed by Google employees on googleplex.com. The vulnerability was triggered when uploaded files with modified Content-Type headers were rendered as HTML instead of PDF, executing attacker-controlled JavaScript in the context of an internal Google domain.