An old Stored XSS story
That is a short story about my first triaged bug on hackerOne when I started on 2020. At that time I was learning about Web vulnerabilities through PortSwigger's Web Security Academy and practicing on a public bug bounty program from hackerOne. I chose this program mainly because I was a consumer from this brand (a Chinese mobile manufacturer), and I had a mobile phone from the same. The Target During the tests, I focused in a single domain in charge of storing your contacts and files in the cloud, in this way, whenever I was adding a new phone Contact in my mobile, I was able to see it in that web, and vice versa After understanding all the functionalities, I focused in the Phone Contact creation which had a Rest-Api endpoint where the web interface was calling a POST request. Apart from the api endpoint there was an option to create users using VCF files . The VCF file is an important actor in the payload stage, stay with me :D The Issue Understanding the phone contact creati