XSS
Penetration Testing
Security Testing
OWASP Top 10
Web Security
Content Security Policy
Bug Bounty
XSS
Penetration Testing
Security Testing
OWASP Top 10
Web Security
Content Security Policy
Bug Bounty
← Back to Blog

How I Found an XSS Injection at Work and Didn't Even Get a Thank You

It was a regular morning at the office. I was drinking coffee and reviewing a new feature that had just been deployed to production. Everything was running as usual — code reviews, meetings, endless Jira tickets.

Then I noticed something strange. On the user profile page, there was a new comment field that had been recently added. As usual, I started testing edge cases. What would happen if I entered a very long string? What about special characters? And what if...

So I entered a classic payload: <script>alert('XSS')</script>. Nothing happened. Hmm, interesting. But then I looked at the page source — and saw that my script was there. It just didn't execute due to Content Security Policy. But CSP isn't a solution; it's just a temporary measure.

I decided to check how the data was displayed in other places. I went to the admin panel where all comments were shown. And there it was! In the admin interface, comments were rendered without HTML tag escaping. So the XSS injection existed; it was just blocked by CSP in one place, but not in another.

I wrote a detailed report: described the vulnerability, attached screenshots, specified exact reproduction steps, and even proposed a solution — to use HTML escaping functions when outputting user data.

I submitted a ticket to the bug tracking system. Priority — critical. A week passed — the ticket was hanging without a response. A month passed — status "in progress." Another month later — the ticket was closed without comments.

I approached the team lead and asked: "What about that XSS?" He shrugged: "Fixed. Can't reproduce it anymore." No "thank you," no "well done," not even a simple acknowledgment that I had found a serious vulnerability.

You know what's the most frustrating part? Six months later, more XSS vulnerabilities were found in the same project, discovered by an external pentester. They paid him money and publicly thanked him in the corporate blog.

This is the reality for many developers and security testers. We find problems, make the product better, but often remain unnoticed. Sometimes it seems that companies only value external audits, while treating internal findings as a given.

But I still keep searching. Because security matters. Because it's the right thing to do. And because one day, maybe, someone will say thank you.

Related Articles

Broken Authentication: Why It's Dangerous and How to Test It Quickly

Broken Authentication is one of the most common and critical security vulnerabilities in web applications and APIs. Learn how to test for authentication flaws and protect your applications.

What is BOLA? Broken Object Level Authorization Explained in Simple Terms

BOLA happens when an API checks "Are you logged in?" but forgets to check "Are you allowed to access this specific thing?" Learn how this common vulnerability works and why it's dangerous.