370 words
2 minutes
Don’t Stop at Login Pages — Fuzz Deeper: From BAC to Stored XSS
2026-01-17
BugBounty
BugBounty
/
XSS
/
BAC

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيم

Hey Folks

In this write-up, I’ll walk you through how I was able to escalate a Login Page into a Broken Access Control and finally achieve a Stored XSS

Initial Recon#

After performing some subdomain enumeration using subfinder with apikeys in config file, I discovered an unusual subdomain https://sysstat.example.com/

So i opened it and it was a login page, which initially suggested restricted access alt text

Directory & API Enumeration#

I started with the usual approach and ran ffuf using a common directory wordlist, but it didn’t return anything useful

Since the target looked like a backend system, I tried an API wordlist instead

After some time, /api/blacklist endpoint returned 200

i opened it in burp and it looked like error log entries being exposed publicly alt text

BAC#

i decided to go deeper, so i continued fuzzing but in this time i use https://sysstat.example.com/api/blacklist/FUZZ as a url to fuzz

And after a short while, ffuf returned multiple interesting endpoints like add and delete so i started to investigate in both

The add endpoint required a JSON body. I reused the structure from the response and sent a modified request the backend response with success alt text then i check if it really added and send the request to /blacklist alt text Testing the /delete endpoint showed similar behavior

alt text

From BAC to SXSS#

After confirming the BAC, i noticed that there was no input filtering or sanitization at all in /add endpoint so i tried to escalate it

I attempted multiple input injection techniques but none of them worked except XSS
alt text

and then open /api/blacklist the payload executed immediately alt text The XSS was stored XSS

Normally, The API endpoints use content-type: application/json,so it’s difficult to find an XSS vulnerability unless the content of the api is rendered inside a dangerous function like innerHTML.

However, in this case, you can notice that the Content-Type is text/html instead of application/json although this is an API endpoint, This is exactly what makes the XSS exploitable here.

End of story#

A login page or a 401 response doesn’t mean the attack surface is gone and once you find a valid directory, fuzz it again and alaways check for content-type in APIs

Thanks for reading and feel free to contact with me

and don’t forget to follow me on Linkedin and X

Don’t Stop at Login Pages — Fuzz Deeper: From BAC to Stored XSS
https://m4kr0.vercel.app/posts/from-bac-to-stored-xss/
Author
Adham A. Makroum
Published at
2026-01-17
License
CC BY-NC-SA 4.0
Play Integrity API: How It Works & How to Bypass It
© 2026 M4KR0. All Rights Reserved. / RSS / Sitemap