Stored XSS via Invite leading to Account Takeover at Opera.

Hey Guys!! I am Samrat Gupta aka Sm4rty, a Security Researcher and a Bug Bounty Hunter. I hope everyone is safe in the Current Covid-19 Pandemic Situation. I am back with another Blog. Hope you will learn something new today.

So, It is a story of Stored XSS which I recently found at which is one of the domains of the Opera BugBounty Program. Let’s get started.

What is Stored XSS?

Stored XSS, also known as persistent XSS, is the more damaging of the two i.e. Reflected or DOM-based. It occurs when a malicious script is injected directly into a vulnerable web application is stored in the server, which can therefore be more impactful.

How I found Stored XSS at Opera?

It was a month before I was hunting at Opera. I picked the domain which was in the scope of the Opera Program at BugCrowd.

At first, I begin with initial Recon i.e. subdomain enumeration, port scanning, screenshot, and running Nuclei. Then I thought of exploring the features as a normal user.

In the application, I found a function where user can create a publisher. So, I randomly tried an XSS payload </h4><script>alert(document.cookie)</script> at the Name parameter of the publisher. As Expected, Nothing happened and XSS didn’t trigger.

Then I further explored the application and found a feature, Where I was able to invite other users to access the publisher which I just created. So, I created a second account on the website.

From the First Account, I just invited the second Account to the publisher. And From Second Account, As I clicked ‘accept’ on Invitation.

BOOM!! XSS Triggered.

Again I tried the same steps and Instead of accepting the Invite I clicked on ‘decline’ and say what XSS triggered again.

So, I got too excited and Just reported it to the Program. But unfortunately, I was a bit late. Before me, someone had already reported the vulnerability and All I got was a duplicate. But still, I learned a lot.

Key Takeaways:

  1. When the XSS payload doesn’t trigger at one place, It doesn’t mean that It is not vulnerable.
  2. Try every endpoint where the parameter is reflected.
  3. Don’t Give up at one attempt, Try to dig deeper.

Here is the POC link:

Thanks for Reading. Any Suggestions are always welcomed!!

Support me if you like my work! Buy me a coffee and Follow me on Twitter.




Just a Cybersec Guy.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting Started guide to get Acala Mandala testnet tokens

Make $$ Reselling Sneaker Bots

TryHackMe | Thompson Walkthrough

Helping Consumers with Digital Payments

AMA Recap: Best questions and answers — by our one and only COO

It’s All About DMARC

{UPDATE} Pots O' Gold Slots Hack Free Resources Generator

The Road To SAFE-Fleming (Part 2): Dynamic Membership

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Just a Cybersec Guy.

More from Medium

Subdomain Takeover Via Flywheel

Bug type: Stored Cross Site Scripting (XSS) and HTML Injection — Part 2

Authentication Bypass & ATO

Tìm những bug trên Symfony