One Small Flaw, 100+ Accounts Stolen — Here’s How It Happened
It started as a routine bug bounty hunt. But I found no other Cross-Site Scripting (XSS) bug — it was a goldmine for Account Takeover (ATO).
By the end of this read, you’ll know:
- How a single XSS flaw exposed 100+ user accounts.
- The sneaky Base64 trick that bypassed filters.
- The exact payload that stole cookies like a thief in the night.
Let’s rewind the story…
The Target: A Million-User Blog Platform
The target was redacted.com (name changed for privacy), a massive blogging site with millions of users.
Subdomains are often the weakest link, so I ran a quick scan and found jp.redacted.com.
Little did I know, this subdomain would hand me the keys to 100+ accounts.
The Discovery: Reflected XSS (RXSS) Strikes Again
Using Param Spider, I listed all parameters with this command:
paramspider -d jp.redacted.com -sOne parameter stood out: s=.