hunt-xss

## Crown Jewel Targets XSS is high-value when it combines **privileged context + persistent delivery + scope escalation**. The highest payouts come from: - **Admin panels and authenticated dashboards** (e.g., `*/admin`, `*/settings`) — attacker can hijack sessions with elevated privileges, exfiltrate tokens, or pivot to account takeover - **Payment/financial flows** (`paypal.com`, checkout pages, currency converters) — XSS here enables credential harvesting and financial fraud at scale - **Stored XSS in collaborative features** (wikis, markdown renderers, issue trackers, RDoc, labels, tags) — one payload infects every viewer, multiplying impact - **SSO/signin pages** (e.g., `paypal.com/signin`) — XSS here is critical because it can steal auth tokens across the entire platform - **Shared SaaS tenant surfaces** (`*.myshopify.com`, `api.collabs.*`) — XSS in one tenant's context can bleed across tenant boundaries - **Help/documentation sites** (`help.shopify.com`) — lower severity individually, but often have looser sanitization and trusted user perception - **SVG/file upload endpoints** — frequently bypasses CSP and sanitization simultaneously **Asset types that pay most:** Main product domains > Admin subdomains > API endpoints > Marketing/help sites --- ## OOB-Or-It-Didn't-Happen Gate (Blind / Stored XSS) For blind and stored XSS — claims require an out-of-band confirmation, the same as blind SSRF. The OOB receiver fires when the payload actually executes in a browser so...