How to verify the blind stored XSS payload reached Capital One
- Open chrome://extensions
- Find Capital One Shopping → click "Service Worker" link
- Go to the Network tab
- Filter by
track.capitaloneshopping.com
- Look at the request body — find the
"title" field
- It contains:
<img src=x onerror=alert(document.cookie)>
Why this matters: The extension binds this XSS payload to the real user's identity
(userId, profileId, installId, device fingerprint). An attacker cannot do this via direct API calls.
If any Capital One internal dashboard renders the title field without output encoding, it fires as stored XSS.