In bug bounty hunting, there is a golden rule: The more time you spend on a target, the more its secrets unfold. Many researchers move on after finding their first bug, but I prefer a "deep dive" approach. Today, I'm sharing how I discovered four different vulnerabilities — ranging from SVG XSS to IDOR — on a single VDP program by simply testing every function.

Note: This is a series of vulnerabilities I discovered in early 2024. Due to disclosure policies and timing, I'm only able to share the details with you now.

Bug 1–2: HTML Injection & XSS via Profile Description

My first stop was the /profile section. I started by testing the "Edit Profile" description field with simple characters like 123<>.

  • Discovery: The page source revealed that the input was reflected directly without any filtering or WAF protection.
  • Exploitation: I injected <h1> tags for visual impact and an <a> tag to redirect users. This confirmed that any user visiting the profile would execute my HTML/JS payload.
None

Bug 3: XSS via SVG (Bypassing the Content Filter)

The application had a public dashboard where users could create posts. While standard tags like <script> were strictly blocked, I noticed the app allowed SVG file uploads for images.

  • The Technique: I prepared a malicious .svg file containing an XSS payload.
  • The Result: Even when security filters are in place for text inputs, file uploads are often overlooked. When the SVG was opened in a new tab or viewed directly, the XSS triggered successfully.
None
None
sometimes it doesn't allow svg, so capture the request with burp and set the file extension to svg.png or you can try changing the content type header

Bug 4: IDOR — Unauthorized Post Deletion

This was the most critical finding. While interacting with the dashboard, I captured a "Delete Post" request using Burp Suite.

  • The Attack: I identified the POSTID parameter. I then initiated a deletion for my own post but swapped my ID with a victim's POSTID.
  • Result: The server failed to verify ownership, allowing me to delete any post on the platform.
None

Out of 4 reports, 3 were accepted immediately. This experience reinforced a key lesson: Don't just scratch the surface. If you find one bug, keep digging. There is a high chance that the developers made similar mistakes in other parts of the same application.

Stay Connected