2 min readSep 5, 2023


vulnerability name: cross site scripting through chat messages

Here is the vulnerability that reported long back for vanilla organisation and rewarded.I just wanted to share write up here.

At first Usually i start with trying xss injection.I started by searching where ever i can insert the inputs later i thought why dont we give a try injection on text input.I tried some basic xss payloads but didnt worked later fired up burp suite for trying with mass xss payloads.

  1. Fired up burp suite
  2. Intercept chat text request in burp suite and selected injection point for payload.
  3. Loaded up mass payloads and start attacking.
  4. Here everything is showing 200 responses but how to find whether payload worked.So started looking for each response and found out that it is filtering keywords and tags like ex:alert(1),<script>
  5. Here got an idea so searched for alert(1) from payload responses and found few results .
  6. From that i adjusted payloads so that xss triggers after victim moves cursor over text.Here is the POC report and link attached at bottom .

Vulnerability description: cross site scripting is a vulnerability that allows an attacker to send malicious code(usually in javascript form) to another user Because a browser cannot know if the script should be trusted or not, it will execute the script in user context allowing the attacker to access any cookies or sessions tokens retained by the browser.

payload; <svg<script> onmou<script>seover</script>="alert('xss')">hii</svg</script>>

vulnerable url:http://4gcommunity.vanillacommunities.com/messages/4 ## Steps to reproduce: step 1.Go to http://4gcommunity.vanillacommunities.com/messages/4

2 .Go to Add message and send any one payload as messages step

3.when victim get message notification in bottom left as seen in screenshot, take cursor over there,it will give “xss”.


1-> attacker can be used for stealing cookies

2->As it is through messaging so easily,whomever payload sent will be affected.

I even posted video as poc in reported link below. Hope it helps for clear understanding.

Thank you