I'm a beginner bug bounty hunter, and I recently came across a Self-XSS vulnerability during my security testing on a target website. The vulnerability occurs when I inject a payload into the X-Forwarded-For header of a web request. However, the security team of the bug bounty program denied my discovery, stating that it doesn't directly impact their clients or services.
I would like to understand how I can escalate this vulnerability or make it more impactful to make it acceptable for the bug bounty program or to better highlight its potential risk. What additional techniques can I explore to demonstrate the impact of this vulnerability?
Please keep in mind that I'm new to Stack Overflow as well, so please, don't be too strict.
I appreciate any guidance or insights on how I can enhance my discovery and its significance.
I attempted to escalate the Self-XSS vulnerability by injecting various payloads into the X-Forwarded-For header of HTTP requests. I experimented with different types of JavaScript payloads to see if I could trigger actions that might have a more significant impact.
I was hoping to demonstrate that the vulnerability had the potential to be exploited in a way that could harm the website's users or services. My goal was to show the bug bounty program that, even though the initial impact seemed limited, it had the potential for more severe consequences under certain circumstances.