This story begins a couple of years ago. I was navigating through a gambling website (which I cannot disclose) when I decided I would search for vulnerabilities on it.
Usually, this is not a good practice since you don’t have permission to do so. Getting suited is always a risk. Anyway, I felt like it could be my lucky day, so I just went for it.
Reconnaissance
I was unsure what the backend looked like, but I was sure they were using Vue on the front end. I’m not a front-end guy, and since Vue makes it very easy for programmers to clean up user inputted text, I decided to start testing the API instead of trying to get an XSS.
Probably I spent a couple of hours getting the site’s endpoints and testing for SQL injection on all the available parameters. None of that worked. I remember being pretty mad on the site for not having an account configuration endpoint (it was impossible to change the username, email address, or contact information since they were storing none).
At this point, it was pretty obvious that the programmers didn’t trust the users at all. There wasn’t even a search endpoint. They didn’t want any user input on the website.
And that’s when I realized that could be their weak point: If they’re not expecting to store any user input data, maybe the frontend guys didn’t even make an effort to clean up the information from the backend side!
Stored XSS
Since the only way to log in was using Steam, I went to my Steam account and changed my name to <script>alert()</script> . I logged out, and when I logged in again: BANG! Stored XSS.
The page owners were not trusting the users, but Steam names can’t be harmful… Right?
Cool, huh? Not really. My username was only being shown on the profile page (https://website.com/<profile_id>). Usually, when it comes to companies that are not in Bug Bounty programs, they will only listen to you if the bug is a risk for other users.
And, you know, everyone has friends who like rushing. One of mine said:
“Well, you could send your profile link to a victim.”
