My Second Bug: XSS(self) on Comment Box

Hi Bug Hunter, Today, I am writing about my second bug discovery on VDP (Vulnerability Disclosure Program). My First Bug was XSS via HTML injection in a chatbot on a BBP(Bug Bounty Program) which gave $$$ Dollars.

How can I find the Cross-Site Scripting bug in the comment box:

When I choose a target, firstly I explore the main site and its functionality. In this target, exploring more things and testing many functions my attention took me to the blog post of the example.com site.

Program Details:

The target site is a music band site where artists or anyone can register and share their lyrics in their profile. Anyone can also go to the Lyrics comment box and comment there. Here comes the vulnerability!

Steps to Reproduce:

1. Go to the comment box of any user account.
2. I was going to this user account as a visitor: {{https://example.com/a/artist_profile_link}}
3. I inject HTML payload on the comment box and boom……! The HTML code render!

4. It is time to test XSS in this comment section now!

5. Injected this payload:

<button onclick="alert(document.cookie)">XSS</button> 
<button onclick="alert(document.domain)">XSS</button>

Comment Box

XSS has been triggered

The replay from the security team:

The report's response indicates that it's classified as a P5 (informational bug).

Replay of the Bugcrowd Security Team report

#happyhacking #bugbounty #bugcrowd #XSS_attack