Exploit Feature To Get High Bug impact

how I Exploit Feature To Get High Bug impact

Hello Awesome Hackers, I hope you all doing well!
My name is Mohamed Anani Or 0xM5awy.

In this Write-Up, we will talk about how I Exploit Feature To Get High Bug impact

In the beginning, let’s explain how the website works.
When anyone start hacking and sees that the company has features such as (Post-Comment-Search) and so on, he starts trying to get XSS right?
so as anyone i try to Put
in all this fields But unfortunately was giving me a Forbidden Error 403 .. And when I started to understand how Cloudflare works, it turns out that it deletes anything that contains and leaves only the content as an example will be so i say to myself What will happen if you try to use this feature against them? and this what we will talk about in this write-up

in my last write-up i have found a function that allows the user to send private messages to streamers. and To do this, you must buy private messages for tokens so how are we going to use this? When you buy messages with tokens For example, if the user buys 10 messages, he will only be able to send 10 messages, and if he sends them, he will have to buy 10/100/etc to talk with the streamer again.

So After I bought private messages in order to be able to message the streamer, i try to put To see what will happens when I do that

And what I expected happened thay delete the and leave the But what I didn’t expect was that the message was not deducted from the number I bought So i try to send this first to see will happend “hello Streamer” I had 10 messages before I sent this message and after i sent it now i have 9 messages So Now it’s time to see what happens if i sent

What I expected happened , the messages remaining was not going down and the message have been sent with “Hello Streamer” and i still have 9 messages :))

Attack Workflow:

  • The attacker will buy private messages to talk to his streamer account
  • The attacker will send a message to the streamer account with
  • The Streamer will got the message “The Message”

The attacker will not lose the Message that he bought it . and now he can use this Feature for free to talk to any streamer ( only he need to buy the first 10 Messages )


An attacker can send unlimited messages without buying with add bad codes as

Unfortunately, they have lowered the Severity to Medium :)



There is no safe system forever :")

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store