Introduction
Hey hackers, I'm Akash Vishwakarma aka thatcyberboy, a BCA final-year student and an aspiring ethical hacker. This is my first write-up, and instead of sharing something complex, I want to tell you the story of how I found my very first vulnerability — and the mistake that came with it.
This wasn't just about finding a bug. It was about understanding the line between curiosity and responsibility.
The Beginning
Back when I was just starting out, I was deeply fascinated by hacking. I had heard about platforms like HackerOne and Bugcrowd, but I didn't fully understand the importance of permission and responsible disclosure.
At that time, I used to test random websites I came across. My mindset was simple: if I found something, I would report it to the owner and move on. I didn't realize that testing without permission is not ethical — and can even be illegal.
The Holi Trend
It was around Holi, and my WhatsApp groups were filled with personalized "Holi wishes" links. These websites allowed users to generate greeting pages with their names displayed in colorful designs.
The URLs looked something like:
- abc.com/some_random_text
- example.com/some_random_text
Curious, I opened one of them (abc.com) .
It displayed a beautifully designed Holi greeting with my uncle's name and a button to create my own version. When I entered my name, the URL changed to something like:
abc.com/holi-wishes/?name=Akash&other=params
At that moment, I remembered something I had recently learned — XSS (Cross-Site Scripting).
First Attempt: Failure
I tried a basic payload: <script>alert(1)</script> Nothing happened.
I tried multiple variations of <script> tags, but the website was filtering the tag. It was either being removed or escaped.
I felt stuck. I thought I had found something, but I couldn't exploit it.
Second Attempt: Digging Deeper
Then I opened the second website (example.com). This one had more functionality — it allowed users to comment on the generated wishes, and the creator could view those comments in a dashboard.
This looked more interesting.
I created my own greeting page from the dashboard and sent the link to myself. Then I opened it in incognito mode and added a comment:
Name: Akash Comment: <script>alert(1)</script>
The comment was submitted successfully, but nothing happened.
When I checked my dashboard, I saw that the tag had been removed.
Another failure :(
Breakthrough Moment
Instead of giving up, I searched for "XSS medium writups" and found a cheat sheet of XSS.
That's when I discovered a different kind of payload.
I tried one of the <img src="x" onerror="alert(1)"> in the comment section again.
Then I went back to my dashboard…
BOOM.
An alert box popped up.
"example.com says 0"
That was the moment I realized — I had just found a Stored XSS vulnerability.
Click here to learn about Stored XSS
Understanding What Happened
The website was using a blacklist filter and was filtering only script tags but failed to sanitize img and onerror.
This worked because the application allowed HTML input but didn't properly sanitize attributes inside tags.
Since the payload was stored in the database and executed whenever the dashboard loaded, this was a Stored XSS.
Reflected XSS Discovery
After this, I went back to the first website and tried the same payload in the URL parameter:
?name=<img src="x" onerror="alert(1)">
And it worked there too.
This time, the payload executed instantly when the page loaded.
This was a Reflected XSS vulnerability.
Click here to learn about Reflected XSS
The Mistake
At that time, I didn't fully understand the seriousness of what I had found.
Out of excitement, I shared manipulated links in my WhatsApp groups where the alert box displayed messages like:
"HACKED BY AKASH"
I thought it made me look cool.
But in reality, this was irresponsible and unethical behavior.
This is not what ethical hacking stands for.
Responsible Disclosure
I searched for the website owner's contact and reported the vulnerability via email, explaining the issue clearly.
They responded positively and thanked me for reporting it.
That moment meant a lot more than triggering alerts ever did.
It made me feel like I was finally moving in the right direction — towards ethical hacking.
Lessons Learned
- Always take permission before testing any system Testing without authorization is illegal, no matter your intention.
- Basic payloads are not enough Understanding how filters work is key to bypassing them.
- Never exploit vulnerabilities for attention Short-term validation is not worth long-term consequences.
- Responsible disclosure matters Reporting a bug properly is what makes you an ethical hacker.
- Every failure teaches something My first success came after multiple failed attempts.
Conclusion
This was my first bug — not the most complex one, but definitely the most important one for me.
It taught me not just about XSS, but about responsibility, ethics, and the right way to approach security.
If you're just starting out, remember: Curiosity is powerful — but ethics define your path.
Thanks for reading. Leave some claps if you liked it. Lets connect personally : Follow on Instagram