webPromedium
Lab 66 — GrowthPilot — Stored XSS via User Registration
hackadvisor
Task: Workforce management SaaS with user registration reviewed by admin bot; fullName field is HTML-escaped on user dashboard but rendered unescaped in admin panel. Solution: Stored XSS via img onerror in fullName field, cookie exfiltrated via base64-encoded URL path to Interaction Server (query strings stripped from logs).
$ ls tags/ techniques/
nodejsejsxssstored_xsscookie_stealingnginxexpressadmin_botdecoy_flaginteraction_serverbase64_exfiltrationuser_registration
admin_bot_exploitationdecoy_flag_avoidancestored_xss_via_registration_fullnamecookie_exfiltration_via_document_cookiebase64_path_encoding_for_oob_exfiltration
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
- [web][Pro]Lab 70 — LivePulse— hackadvisor
- [web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor
- [web][Pro]Lab 316 — InsightForge — JWT Secret Leak to RCE via Command Injection— hackadvisor
- [web][Pro]Lab 271 — TeamPulse — Stored XSS via HTML File Upload— hackadvisor