snackaholic avatar

XSS vulnerability

snackaholic

Published: 15 Apr 2018 › Updated: 15 Apr 2018XSS vulnerability

XSS vulnerability

Expected behavior

When clicking on links, refering steempayout.com I dont expect any xss vulnerabilities.

Actual behavior

There is the possibility to inject javascript to the side and this means I can do what ever I want to do with the users clicking that link...

How to reproduce

navigate to http://www.steempayout.com

enter the username you want to check the payout from.

manipulate the parameter within the url to your needs...

example :

http://www.steempayout.com/?username=snackaholic

to

https://steempayout.com/?username=%3Cscript%3Ealert(%22hallo%22)%3C/script%3E

  • Browser:
    Google Chrome Version 65.0.3325.181
  • Operating system: Windows 10

Recording Of The Bug

Screenshot of Google Chrome protecting the user:

image.png

Screenshot of the malicious code that got injected to the site:
bad.png



Posted on Utopian.io - Rewarding Open Source Contributors

Leave XSS vulnerability to:

Written by

Read more #utopian-io posts


Best Posts From snackaholic

We have not curated any of snackaholic's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From snackaholic