CRITICAL CVSS: 9.6 DUPLICATE Web Security

Stored XSS in Support Ticket Workflow via response.content Parameter

Stored XSS vulnerability in a support/helpdesk workflow allowed attacker-controlled JavaScript execution when support tickets were viewed by users or internal staff, enabling session hijacking and privileged workflow abuse.

Validated Duplicate Finding

This vulnerability was independently discovered and successfully demonstrated, but had been previously reported by another researcher. Duplicate findings are common in active bug bounty programs and still represent legitimate offensive security capability — the exploitation was real, the impact was valid, and the methodology was sound.

Platform
YesWeHack
Program
Bug Bounty
Target
VoltFunded (Exinity)
Read Time
18 min

Attack Chain 7 stages

1
Authenticated User
2
Submit Malicious Response
3
Payload Stored Server-Side
4
Support Staff Opens Ticket
5
Unsafe Rendering
6
JavaScript Execution
7
Session / Privileged Workflow Risk

Disclosure Timeline

2025-04-25 Target platform identified — VoltFunded (Exinity) client portal
2025-04-26 Support ticket workflow mapped — ticket creation and response thread analyzed
2025-04-27 Input reflection observed — response.content rendered without sanitization
2025-04-28 Stored XSS payload injected via ticket response — alert(document.cookie) executed
2025-04-28 Payload persistence confirmed — XSS triggers on every subsequent ticket view
2025-04-28 Cross-user execution validated — payload fires when victim opens affected ticket
2025-04-28 Report submitted through YesWeHack program
2025-05-02 Report triaged — marked as Duplicate (previously reported)
2025-05-02 Duplicate points (4 pts) awarded — vulnerability validity confirmed

Reconnaissance

During authorized security research on the VoltFunded (Exinity) trading platform through the YesWeHack bug bounty program, the support ticket system was identified as a critical attack surface for stored content injection. The platform at trade.voltfunded.com provided a full-featured helpdesk workflow — users could create tickets, submit responses in a threaded conversation format, and upload file attachments. Using Burp Suite Proxy, the response submission flow was intercepted and analyzed, revealing that ticket responses were submitted via the response.content parameter and stored server-side for later rendering in the ticket view interface.

Vulnerability Discovery

The ticket response rendering mechanism was found to have insufficient output encoding. When a user submitted a response containing HTML or JavaScript content, the backend stored the raw input and the frontend rendered it without proper sanitization or contextual output encoding. The response.content parameter accepted arbitrary HTML markup, which was then persisted in the ticket conversation thread and executed in the browser context of any subsequent viewer — including the ticket creator, other authenticated users, and critically, internal support staff or administrators reviewing tickets through the helpdesk interface.

Filter Bypass Analysis

Payloads are intentionally sanitized for responsible disclosure and portfolio presentation.

Ticket response content stored server-side without input sanitization — RAW HTML ACCEPTED
Output rendering lacks contextual encoding — HTML entities NOT ESCAPED
JavaScript event handlers execute within application origin — SAME-ORIGIN CONTEXT
Payload persists across page reloads — STORED, NOT REFLECTED
Cookie access confirmed via document.cookie exfiltration — SESSION DATA EXPOSED
Payload triggers for any user viewing the ticket — CROSS-USER EXECUTION
Support staff/admin panel shares the same rendering context — PRIVILEGED TARGET EXPOSURE
No Content-Security-Policy header restricting inline script execution — CSP ABSENT

Payload Analysis

All payloads below are sanitized proof-of-concept examples. No active exploitation code is shown.

Stored XSS Payload — Ticket Response Injection
✓ SUCCESS 
<img src=x onerror=alert(document.cookie)>

// Injected via response.content parameter
// Stored in ticket conversation thread
// Executes on every subsequent ticket view
NOTE: Payload stored in ticket #900175 response thread — triggers alert(document.cookie) on page load for any viewer
Browser Alert Output — Cookie Exfiltration Proof
✓ SUCCESS 
trade.voltfunded.com says:

utm_storage={};
_ga=GA1.1.REDACTED.REDACTED;
_fbp=fb.1.REDACTED.REDACTED;
FPLC=REDACTED...
_ym_uid=REDACTED;
_ym_d=REDACTED;
_gcl_au=1.1.REDACTED...
_ym_isad=2;
AMP_MKTG_REDACTED=REDACTED;
NOTE: Browser alert displays full document.cookie contents — confirms JavaScript execution within trade.voltfunded.com origin with access to session data
Execution Context — Application Origin
⚡ BYPASSED 
// Execution Origin: trade.voltfunded.com
// Context: Authenticated user session
// Cookie Access: Full (HttpOnly not set on tracking cookies)
// DOM Access: Full application DOM
// API Access: Authenticated API calls possible
// Target: Any user or staff member viewing the ticket

// Potential escalation:
// - document.cookie → session token theft
// - fetch('/api/...') → authenticated API abuse
// - DOM manipulation → phishing within trusted context
NOTE: XSS executes within the fully authenticated application context — attacker gains equivalent browser-level access to the victim's session

Tooling

Burp Suite Proxy — intercepting ticket response submission and analyzing request/response cycle
Browser DevTools — inspecting DOM rendering behavior and JavaScript execution context
Manual XSS testing — crafting and validating stored payload persistence across sessions
Cookie analysis — verifying document.cookie accessibility and session token exposure

Chaining Strategy & Escalation

The Stored XSS vulnerability in the support ticket workflow presents critical escalation opportunities due to the nature of the attack surface. Support tickets are reviewed by internal staff and potentially administrators — any XSS payload persisted in a ticket response executes in their authenticated browser context. This creates a direct path to session hijacking of privileged accounts. Combined with the IDOR vulnerability previously identified in the same support workflow (ticket creation via customer parameter manipulation), an attacker could: (1) create a ticket under a victim's account via IDOR, (2) inject a Stored XSS payload into the ticket response, (3) wait for support staff to review the ticket, (4) exfiltrate the staff member's session token or perform authenticated actions on their behalf. This exploit chain transforms two individual findings into a comprehensive attack against the platform's internal support infrastructure.

Root Cause Analysis

The support ticket response rendering mechanism lacked proper output encoding. User-supplied content submitted via the response.content parameter was stored raw and rendered directly into the DOM without contextual HTML entity encoding, JavaScript escaping, or sanitization. The absence of a Content-Security-Policy (CSP) header further compounded the issue by allowing inline script execution and event handler attributes. This is a textbook Stored Cross-Site Scripting vulnerability as defined by CWE-79 (Improper Neutralization of Input During Web Page Generation). The fix requires implementing context-aware output encoding at the rendering layer, input sanitization at the storage layer, and deployment of a strict CSP header to provide defense-in-depth.

Impact Assessment

Arbitrary JavaScript execution within trade.voltfunded.com origin for any ticket viewer
Session token theft via document.cookie access — full account takeover potential
Internal staff targeting — support personnel reviewing tickets execute attacker's payload
Privileged workflow abuse — admin/staff sessions can be hijacked for platform-wide impact
Phishing within trusted context — DOM manipulation enables convincing credential harvesting
Persistent payload — XSS triggers on every subsequent page load of the affected ticket
Exploit chain amplification — combines with IDOR for targeted cross-account attacks

Remediation

Implement context-aware output encoding — HTML entity encode all user-supplied content before rendering
Deploy server-side input sanitization using a proven library (e.g., DOMPurify, Bleach) to strip dangerous HTML
Add Content-Security-Policy header with strict directives: script-src 'self'; no inline event handlers
Set HttpOnly and Secure flags on all session-related cookies to prevent JavaScript access
Implement a trusted types policy to prevent DOM-based injection vectors
Add SameSite=Strict on session cookies to limit cross-origin cookie exposure
Audit all user-input rendering paths in the support ticket system for similar encoding failures

Technical Evidence

Visual documentation from the security assessment. All sensitive data has been redacted.

XSS alert popup showing document.cookie on VoltFunded support ticket
Evidence 1

Stored XSS execution on ticket #900175 — alert(document.cookie) fires showing full cookie data. The Response Thread below shows the injected payload via the ticket response interface.

Stored XSS execution on VoltFunded ticket view
Evidence 2

Persistent XSS on ticket #900176 — payload executes on every page load, confirming stored (not reflected) behavior. Cookie data including _ga, _fbp, and tracking tokens exposed.

XSS payload persistence across sessions on VoltFunded
Evidence 3

Payload persistence validation — same ticket viewed in a new session still triggers JavaScript execution, confirming server-side storage of the malicious response content.

XSS browser execution within authenticated VoltFunded context
Evidence 4

Browser execution context — XSS runs within the trade.voltfunded.com origin with full DOM and cookie access. The Reply field and Upload Documents section confirm the authenticated helpdesk context.

This case study follows responsible disclosure practices. All sensitive data including endpoints, credentials, customer information, and active exploitation payloads have been redacted or sanitized. The vulnerability was reported through the official bug bounty program and has been resolved.