Easy Stored XSS Worth Letter of Appreciation from GUVI 💪 💪

In my previous article, I explained the Cloudflare WAF bypass with a simple payload. In this article, I used the same payload to bypass the WAF to get the stored XSS.

This target is India's leading EdTech Startup incubated by IIT-M & IIM-A, providing highly-effective & finest learning solutions through a vernacular approach to more than 1.8 million learners worldwide.

Let’s get Started !! 😉

Simply, I was browsing this application, and I observe that the application uses Cloudflare WAF protection:

As I observed this application uses, the latest technology stack to serve the content.

This time it is simply a trial and error method, I didn’t perform much recon or exploit, as this is not my target application to hunt.

I started looking at the functionalities, and I found the profile page, which is a more common module in most modern applications.

I opened the summary tab and injected the simple XSS payload;

After clicking on the saved button, immediately I got the XSS pop-up.

That’s awesome, and what I expected.

As the user-supplied data will get stored in the application database, the injected payload will be triggered to the user who logged in with this user, this is commonly called “Stored XSS”

Then I can able to retrieve the cookie with (document.cookie):

I’m a security researcher and our duty is to secure the internet without expecting any reward, I ethically reported to GUVI and I got the following response:

A letter of Appreciation is yet to share by the team.

Video POC 👇

I’m happy that they appreciated the responsible disclosure and my effort !!

That’s it for this write-up.

Happy Hacking 🥂🥂

Thanks for reading.

Please follow me for more writeups.