Skip to main content Stored XSS

On the 8th of August 2013, I reported a persistent cross-site scripting vulnerability on, located in the picture upload function of the website. The bug was fixed on the 27th of August 2013.


  1. An attacker creates an image and set its file name to an XSS attack vector. For example, <img src="" onerror="javascript:alert(1)">.png.
  2. The attacker uploads the image.
  3. Wherever the image is used, the site will print out the name of the image, which will execute the XSS payload.

Bug Bounty# bug bounty program rewards include:

  1. A t-shirt.
  2. Listing on's Hall of Fame. –
  3. A whitehat hacker badge for your freelancer’s profile. - badge
info Alexa Global Rank (at the time): 534.