Stored XSS via Invite leading to Account Takeover at Opera.

Hey Guys!! I am Samrat Gupta aka a Security Researcher and a Bug Bounty Hunter. I hope everyone is safe in the Current Covid-19 Pandemic Situation. I am back with another Blog. Hope you will learn something new today.

So, It is a story of Stored XSS which I recently found at which is one of the domains of the Opera BugBounty Program. Let’s get started.

What is Stored XSS?

Stored XSS, also known as persistent XSS, is the more damaging of the two i.e. Reflected or DOM-based. It occurs when a malicious script is injected directly into a vulnerable web application is stored in the server, which can therefore be more impactful.

How I found Stored XSS at Opera?

It was a month before I was hunting at Opera. I picked the domain which was in the scope of the Opera Program at BugCrowd.

At first, I begin with initial Recon i.e. subdomain enumeration, port scanning, screenshot, and running Nuclei. Then I thought of exploring the features as a normal user.

In the application, I found a function where user can create a publisher. So, I randomly tried an XSS payload at the Name parameter of the publisher. As Expected, Nothing happened and XSS didn’t trigger.

Then I further explored the application and found a feature, Where I was able to invite other users to access the publisher which I just created. So, I created a second account on the website.

From the First Account, I just invited the second Account to the publisher. And From Second Account, As I clicked ‘accept’ on Invitation.

BOOM!! XSS Triggered.

Again I tried the same steps and Instead of accepting the Invite I clicked on ‘decline’ and say what XSS triggered again.

So, I got too excited and Just reported it to the Program. But unfortunately, I was a bit late. Before me, someone had already reported the vulnerability and All I got was a duplicate. But still, I learned a lot.

Key Takeaways:

  1. When the XSS payload doesn’t trigger at one place, It doesn’t mean that It is not vulnerable.
  2. Try every endpoint where the parameter is reflected.
  3. Don’t Give up at one attempt, Try to dig deeper.

Here is the POC link:

Support me if you like my work! Buy me a coffee and Follow me on Twitter.



Smart contract Auditor at QuillAudits. Interested in Web3 and SmartContract Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Smart contract Auditor at QuillAudits. Interested in Web3 and SmartContract Security.