How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for XSS vulnerability :(

Hello,

This is Satyendra Shrivastava (Independent cybersecurity researcher)

Today I’m going to tell you a story of finding a bunch of bugs in udemy.com and bugs are like XSS (Dom based XSS), HTML injection, clickjacking and broken authentication in the homepage of udemy.com.

So let’s begin the story

One day I was in the computer lab of my college and normally all the students were studying their subjects and I’m an computer nerd so that’s why I was busy with my stuff. means Hacking LOL! :)

I was looking for some bugs in the random websites and suddenly I thought I need to gain more knowledge about Hacking then I started searching for hacking courses on the internet and fortunately I entered in udemy.com and searched for bwapp training course but there were no courses for me :(

and then suddenly I had a thought in my mind of testing for XSS and I inputted in searchbar a simple JavaScript payload -

<script>alert(XSS)</script>

Unfortunately, there is no response till now :(

After some time I tried one more javascript payload that is -

<img src=1 onerror=alert(document.cookie)>

BOOOOOMM!!!!!!

I got a popup with the cookie reflection

I and my friends were like this –

And now I was not staying cool I was so happy and continue to look for some more and tried an HTML injection code.

payload is —

<h1><marquee>Udemy has beeen hacked</marquee></h1>

Once again BOOOMM!!!

That day my luck was like this –

And then my curiosity level is on peak :)

I needed some more then again, I am started fighting with udemy.com

Once again, I got a click-jacking.

I tried one more time and got a broken authentication it allows a attacker to brute force the coupon code field.

Now I was satisfied with that last vulnerability I finally reported all the bugs to Udemy.

But here my luck was not with me because I got XSS as out of scope from the program I was socked

And also broken authentication is got duplicate.

But still, remaining bugs (HTML injection, potential click-jacking)are triaged so finally I’m happy.

Status — Fixed