7. XS-Leaks Vulnerability leads to $$$

Most vulnerabilities exploit server bugs.

medium.com

You send a payload → the application processes it → the bug triggers.

Second-order vulnerabilities work very differently.

Here, the payload is stored safely at first, sometimes even sanitized or accepted normally. The real vulnerability only appears later, when another part of the system processes that stored data.

This delay makes second-order bugs some of the most overlooked and most valuable findings in bug bounty.

None
Created By Gemini

List: Bug Bounty from Scratch Series #1 to #25 | Curated by Abhijeet kumawat | Medium

Bug Bounty from Scratch Series #1 to #25 · 25 stories on Medium

medium.com

🧠 What Is a Second-Order Vulnerability?

A second-order vulnerability happens when:

  1. The attacker stores malicious input somewhere in the system.
  2. The application saves the input safely (no error, no execution).
  3. Later, another component retrieves and processes that stored data unsafely.

The attack triggers only at step 3, not step 1.

In simple terms:

The payload is harmless when saved. It becomes dangerous when reused later.

📹 Real Exploitation Flow (PoC Mindset)

None
Source: Google.com
Attacker
   |
   | Stores malicious input
   | (profile name, address, comment)
   ↓
Application
   |
   | Input stored in database
   | (no immediate vulnerability)
   ↓
Later...
   ↓
Admin panel / background job / report system
   |
   | Retrieves stored data
   | Uses it in unsafe query
   ↓
💥 Payload executes

The attacker might not even be online when the bug triggers.

🎯 Why Second-Order Bugs Are Powerful

Second-order vulnerabilities can lead to:

  • SQL injection
  • Stored XSS
  • command injection
  • logic corruption
  • admin compromise
  • data exfiltration

They are powerful because:

  • scanners rarely detect them
  • payload execution happens in a different context
  • developers assume stored data is safe

🧪 Where to Look for Second-Order Bugs

Second-order bugs usually appear where user input is stored and reused later.

Common locations include:

profile fields
usernames
addresses
bio/about sections
comments
support tickets
file names
API metadata
logs

Places where stored data may later appear:

admin dashboards
report generators
search queries
analytics jobs
email templates
PDF exports
background jobs

If data travels between multiple components, investigate.

🧪 How to Find Second-Order Bugs (Step-by-Step)

Step 1 — Identify Stored Inputs

Look for inputs that persist in the system:

Examples:

profile update
comment systems
support tickets
product reviews
settings fields

Use Burp Suite to capture the request.

Example:

POST /profile/update

Payload:

{
  "name": "testuser"
}

Step 2 — Inject a Non-Destructive Test Payload

Start with something detectable but harmless.

Example payload:

test'123

or

";sleep(5);"

or

<test_marker_123>

Save it.

No vulnerability will trigger yet.

Step 3 — Track Where the Data Appears Later

Now investigate:

  • admin panel views
  • exported reports
  • internal search
  • analytics dashboards
  • notification emails

Check whether the stored input appears.

Example:

Admin → User list → profile name

This is where second-order execution may occur.

Step 4 — Trigger the Second-Order Context

Suppose your stored payload appears in a SQL query like:

SELECT * FROM users WHERE name = '<stored_value>'

If the stored value is:

test' OR 1=1 --

Then the resulting query becomes:

SELECT * FROM users WHERE name = 'test' OR 1=1 --'

That's SQL injection — triggered later.

🧰 Tools You'll Actually Use

🔧 Primary Tools

  • Burp Suite (Proxy + Repeater)
  • Browser DevTools
  • SQLMap (sometimes helpful)
  • manual exploration

Second-order bugs require thinking through application flows, not automated scans.

🧪 Practical Payload Examples

Second-Order SQL Injection

Store this in a profile field:

test' OR 1=1 --

Later check admin search or reports.

Stored XSS Example

Store in comment:

<script>alert(1)</script>

The vulnerability might trigger when:

Admin reviews comments

Template Injection

Store payload:

{{7*7}}

If the app later renders templates unsafely, it might evaluate.

🚩 Signals You Found a Second-Order Bug

Watch for:

  • payload appears later in another interface
  • errors triggered in background processes
  • SQL errors in logs or admin panels
  • delayed execution after saving input
  • vulnerability triggered by admin actions

Second-order bugs often require patience and observation.

🧨 Turning This Into a High-Impact Report

To demonstrate impact clearly:

  1. Show where payload is stored
  2. Show where it later executes
  3. Explain the execution context
  4. Prove data exposure or code execution

Example impact statement:

A malicious payload stored in the user profile field is later processed in the admin reporting system without sanitization, resulting in SQL injection and unauthorized database access.

This clearly shows the two stages of exploitation.

📝 How to Report This (Report-Ready)

Title

Second-Order SQL Injection via Stored User Profile Field

Impact

An attacker can store malicious input in their profile, which is later processed by the administrative reporting system. Because the stored input is inserted into SQL queries without sanitization, this results in SQL injection and potential database compromise.

Why This Matters

  • affects admin users
  • bypasses initial input validation
  • triggers in privileged contexts

🧠 Why Most Hunters Miss Second-Order Bugs

Because:

  • they test only immediate responses
  • scanners look for instant vulnerabilities
  • execution may occur minutes or hours later
  • it requires understanding data flow across the application

The vulnerability exists between components, not inside a single endpoint.

🚀 What You Should Do After Reading This

Whenever you store data in an application:

Ask yourself:

"Where will this data be used later?"

Then follow that trail.

Second-order bugs reward hunters who think like system architects, not just endpoint testers.

🐾 Final Thoughts for This Series

This series explored vulnerabilities that many hunters overlook:

  • cache logic flaws
  • OAuth trust issues
  • race conditions
  • prototype pollution
  • JWT confusion
  • WebSocket authorization flaws
  • XS-Leaks
  • second-order vulnerabilities

Each of these bugs shows a common theme:

- The most valuable vulnerabilities are rarely found in obvious places.

- They exist where systems interact, assumptions fail, and logic breaks.

- That's where great bug hunters operate.

☕Support the Work (If This Helped You)

If this write-up helped you understand Web Cache Deception better — or saved you hours of trial and error — you can support my work here:

👉 Buy Me a Coffee: Abhijeet Kumawat❤️

Your support helps me keep publishing deep, practical bug bounty content with real attack flows, payloads, and reporting insights — not surface-level theory.

_ No pressure. Just appreciation❤️

None
Source: gifer.com