Back to Labs HackerOne #149855 — Imgur — Real World
Messages 2
D
DankVault
Imgur member · 847 posts · 12.3k points
View profile →
Conversations
S
SaturnV 2m ago
Hey, did you see that new astronomy post on the front page? The one with the nebula shots.
M
MemeKing99 17m ago
lmaooo that cat gif you posted is already at 14k points
P
PixelWizard 1h ago
I tried your Photoshop technique from the tutorial — worked perfectly. Thanks!
D
DankVault 3h ago
Did you submit your image to the weekend contest yet? Deadline is Sunday.
N
NightOwlGfx Yesterday
Your HDR photo series is incredible. How long does each shot take to process?

Real World Lab — What to Find

This page simulates Imgur's mobile messaging endpoint. Access it using the URL path just like the real bug:

58.php/account/USERNAME/messages

The username segment is reflected raw inside a double-quoted href attribute. Unlike Lab 56 (single-quote breakout), you need a " to escape here. The XSS fires immediately on page load — no click required.

Try: 58.php/account/test/messages first, then craft your payload in the path.

Platform: HackerOne
Report: #149855
Target: m.imgur.com
Severity: No rating
Bounty: Paid
Researcher: logue
Status: Resolved (Sep 2017)