In this blog post, the author shares their experience of using their cybersecurity skills to find a cross-site scripting (XSS) vulnerability on Chess.com, the leading chess site on the internet. They explain how they discovered a feature that allowed them to automatically friend anyone who visited their profile and used it to their advantage. They also describe how they exploited a TinyMCE rich text editor with an image upload function to inject malicious code and execute an XSS attack. The author goes into detail about their findings, including the limitations and potential impact of the vulnerability. Their report was well-received by the security team, and they were rewarded for their discovery. The author also shares some interesting side notes and additional techniques they explored during their testing.
https://skii.dev/rook-to-xss/