How to Upgrade Your XSS Bugs from Medium to Critical

5 min readMay 21, 2019

TL;DR: Before you report an XSS, look for ways it can be leveraged to increase severity. Here’s my repo containing weaponised JavaScript payloads for popular platforms like Wordpress and Drupal. More will be added in the coming weeks.

It feels like every day that I see another under-leveraged XSS writeup hit my Twitter feed. I saw another one today, I don’t want to name and shame, so let’s call the author “Jim”. The write-up went something like this.

Jim found some user input that was reflected, unsanitised
Jim put <script> alert(1)</script> into the input and an alert box popped up
Triaged as P3/Medium Severity
Rewarded $300
The end

The target was a very large company, and this XSS was on their most prominent domain which hosts a customer login portal and performs a number of highly-sensitive actions. What Jim didn’t know is that with a bit of extra effort, this bug could have been upgraded to a one-click account takeover and would likely have paid $5000. Don’t be like Jim.

This problem isn’t unique to Jim. Many penetration testers and bug bounty hunters never put in the effort to build out fully weaponised XSS payloads because it’s time consuming, or too difficult, or they don’t know what’s possible. By the end of this article, you will be armed with the knowledge of how to weaponise your XSS findings, and you’ll also have some XSS payloads I’ve crafted that allow an attacker to take full administrative control of some popular content management systems, namely Wordpress and Drupal.

Before we continue on the XSS train, we need to talk about Cross-Site Request Forgery (CSRF). CSRF occurs where the attacker is able to perform sensitive actions in the context of the victim’s session by convincing them to click a link in their own browser. As an example, let’s say the following URL is used in a web application to update the password of the user who navigates to it.

https://www.example.com/profile/update_password?new_password=Welcome1

Firstly it’s bad practice to put the password in a GET request, but let’s ignore that for a second. If there are no CSRF mitigations in place, an…

How to Upgrade Your XSS Bugs from Medium to Critical

Written by Luke Stephens (@hakluke)

More from Luke Stephens (@hakluke)

Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties

Amass has a lot of features. It’s a bit of a weird tool because despite being synonymous with bug bounty recon, and despite being…

Hakluke’s Ultimate OSCP Guide: Part 1 — Is OSCP for you?

If you’ve landed here, you’re probably thinking about taking the Offensive Security PWK course to become an OSCP, but you’re not sure if…

How I Hacked My Way to a Free CrikeyCon Ticket and a New Job

Let’s rewind a week, I noticed a twitter post come up from Paul Jenkins (@infosecrecpaul) and Marcus Lavalle-Smith (@MarcusRecruiter).

Hakluke’s Ultimate OSCP Guide: Part 2 — Workflow and documentation tips

At the start of my labs, I wasn’t really prepared for how much documentation I would be writing. I opted to document ALL of the exercises…

Recommended from Medium

Recon For Web Pen-Testing!!

Reconnaissance, or recon for short, is the process of gathering information about a target to identify vulnerabilities and potential attack…

How did I get 3300$ With Just FFUF!!

By searching inside one of the Bitcoin platforms I found there a place to document accounts by sending documents such as ID or passport…

Lists

Medium Publications Accepting Story Submissions

22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

CVE-2023–3067: Stored Cross Site Scripting Vulnerability on renowned note-taking thick client app Trillium

How I got RXSS from Shodan

Hello All I’m Mostafa Elguerdawi, In this writeup I will explain how I get RXSS using shodan

$1,250 worth of Host Header Injection

What is Host Header Injection?

Breaking TikTok: Our Journey to Finding an Account Takeover Vulnerability

Hello, fellow security researchers and bug bounty hunters!