Chaining Minor Vulnerabilities to Mass Account Takeover (500 USD)
A request that isn’t vulnerable until you make it twice. Definitely an interesting edge case that a lot of testing might overlook. What would happen is that a search request would come in and be served normally, if the search itself has an XSS payload it would en escaped before being sent back to the user so the XSS wouldn’t be executed. However if you made the same request a second time from the same user, the response would be served directly out of that user’s cache in that cached response the XSS would no longer be sanitized.
Issues like this with caching can come up from time to time, not necessarily a lack of sanitizing but just inconsistencies in how the data in processed between a cached and non-cached response. Occasionally leading to this great little bugs.