$ cat /shinchina/blog/2022-09-07-$900-blind-xss.html

$900 Blind XSS

........................................... 2022-09-07 ...........................................

Hello Guys!, This is my first ever writeup. Today i will tell you about my First Bug Bounty Earning.

It was a Blind XSS ( Blind XSS are awesome 🔥 )

First I went to Bugcrowd and start finding a good program for me.
At that time i thought why not choose the old program because there are many hunters hunting on newly added programs.

so i went to bugcrowd.com/programs and click Last >> Then i select a program that have *.target.tld

I open homepage (redacted.com) and start looking for keywords like Contact Us, Customer Support, Help
I found get a demo button, I clicked and found that there is a form for demo slot booking.

I paste my xsshunter's basic payload on every input i see.
after 10 to 15 hours, I got a mail from xsshunter, I receive multiple fires from redacted.com.
I report immediately and tell them that some of your booking form inputs are not sanitized and vulnerable to blind xss.
I showed them PoC, IPs, etc. details

After 4 Days, they Triaged with P2 severity
i was so happy, i can't belive this because the program is one of the oldest program on bugcrowd.

After 2 Days they rewarded me with $900 and 20 Points

I got mad that day, words can't describe that feeling.
Special Thank to all my Mentors @thecyberzeel @AnubhavSingh_ @IAmMandatory and Bugcrowd

Here is the Tip : Programs add new features time to time and these are mostly vulnerable, so work on old programs too.

[19 Jun 2021] : Bug Submitted
[23 Jun 2021] : Accepted and Triaged as P2
[25 Jun 2021] : Rewarded $900
[23 Dec 2021] : Resolved