Stored XSS via Invite leading to Account Takeover at Opera.

Hey Guys!! I am Samrat Gupta aka Sm4rty, a Security Researcher and a Bug Bounty Hunter. I hope everyone is safe in the Current Covid-19 Pandemic Situation. I am back with another Blog. Hope you will learn something new today.

So, It is a story of Stored XSS which I recently found at which is one of the domains of the Opera BugBounty Program. Let’s get started.

What is Stored XSS?

Stored XSS, also known as persistent XSS, is the more damaging of the two i.e. Reflected or DOM-based. It occurs when a malicious script is injected directly into a vulnerable web application is stored in the server, which can therefore be more impactful.

How I found Stored XSS at Opera?

It was a month before I was hunting at Opera. I picked the domain which was in the scope of the Opera Program at BugCrowd.

At first, I begin with initial Recon i.e. subdomain enumeration, port scanning, screenshot, and running Nuclei. Then I thought of exploring the features as a normal user.

In the application, I found a function where user can create a publisher. So, I randomly tried an XSS payload </h4><script>alert(document.cookie)</script> at the Name parameter of the publisher. As Expected, Nothing happened and XSS didn’t trigger.

Then I further explored the application and found a feature, Where I was able to invite other users to access the publisher which I just created. So, I created a second account on the website.

From the First Account, I just invited the second Account to the publisher. And From Second Account, As I clicked ‘accept’ on Invitation.

BOOM!! XSS Triggered.

Again I tried the same steps and Instead of accepting the Invite I clicked on ‘decline’ and say what XSS triggered again.

So, I got too excited and Just reported it to the Program. But unfortunately, I was a bit late. Before me, someone had already reported the vulnerability and All I got was a duplicate. But still, I learned a lot.

Key Takeaways:

  1. When the XSS payload doesn’t trigger at one place, It doesn’t mean that It is not vulnerable.
  2. Try every endpoint where the parameter is reflected.
  3. Don’t Give up at one attempt, Try to dig deeper.

Here is the POC link:

Thanks for Reading. Any Suggestions are always welcomed!!

Support me if you like my work! Buy me a coffee and Follow me on Twitter.




Just a Cybersec Guy.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Our privacy is dying — but we can lose it responsibly

Trezor Model One Review what you need to know

Why should you Jailbreak iOS 13.5?

READ/DOWNLOAD> Engineering Trustworthy Systems: Ge

Announcing The Winners of The Seventh SHUFFLE! Staking Lottery!

Adventures of my online profile

🥇🐝 Gold Bee Token 🐝🥇

HTB Oouch Writeup | Sunny Mishra

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Just a Cybersec Guy.

More from Medium

SSRF & LFI In Uploads Feature

Response Manipulation leads to Account Takeover

IDOR vulnerability on invoice and weak password reset leads to account take over

Insecure Direct Object Reference