Can you spot the XSS vulnerability? \ stacker news ~security

pull down to refresh

646 sats \ 29 comments \ @ek 15 Mar security

I am subscribed to the Intigriti newsletter and I was about to unsubscribe but then I saw that they included this section:

Hacking Time: Can you spot the XSS vulnerability?

XSS might be easy to find, or not.... Can you seem to spot the cross-site scripting (XSS) vulnerability in this code snippet?

The exploitation method showcased in this example is commonly overseen by most bug bounty hunters, as they’re not aware of the possibility to pass your malicious XSS payload in this different format!

2.5k sats for the first correct answer!

2,500 sats paid 2 times

ek's bounties

view all past bounties

2554 sats \ 14 replies \ @carter 15 Mar

You can write a script tag into the page with a specially crafted filter? https://example.com/index.php?filter[<script>alert('Hacked')</script>]=value

0 sats \ 1 reply \ @ek OP 3 Apr

I don't know if you looked up the solution, but you were the first one who posted the exploit code, so I'll also pay you next to #914079

100 sats \ 0 replies \ @carter 3 Apr

I did look up the documentation for the php functions and was testing if it actually was the hack with a wasm php thing so I appreciate it. I did feel dumb when they pointed out that the tweet had the answer when i even signed up for the blog to try and see if the answer was there

0 sats \ 1 reply \ @carter 15 Mar

https://example.com/index.php?filter[category%3Cscript%3Ealert%28%27Ha]=value&filter[cked%27%29%3C%2Fscript%3E]=val

you can also break it up into multiple categories and url encode because $_GET handles that. this would look normal to the user in the ui rendering as You're currently filtering by "category"

I still dont know what they wouldn't see

0 sats \ 0 replies \ @sox 16 Mar

Yeah that 'oversee' part threw me off but it's the first thing you see ^^

0 sats \ 9 replies \ @Scroogey 15 Mar

deleted by author

100 sats \ 5 replies \ @optimism 16 Mar

if that's so then @WeAreAllSatoshi got it right. But I agree with @ek, this is not something that would be missed by most bug hunters 😂

100 sats \ 4 replies \ @ek OP 3 Apr

lol that was indeed the case

but maybe the hard part was to actually exploit it, not just see that it could be exploited

100 sats \ 3 replies \ @optimism 3 Apr

I'd have paid the bounty to @WeAreAllSatoshi myself if you wouldn't have. Thanks for being cool and paying it out twice.

100 sats \ 2 replies \ @WeAreAllSatoshi 3 Apr

@ek and I are buds, he wouldn't do me like that

view all 2 replies

0 sats \ 0 replies \ @ek OP 16 Mar

damn, can't access, returns 429 Too Many Requests currently

0 sats \ 0 replies \ @carter 15 Mar

i was gonna ask if the answer was already given... it did get me to signup for that newsletter. my tin foil hat assumed this post is an ad

0 sats \ 0 replies \ @nitter 15 Mar bot

https://xcancel.com/intigriti/status/1893240582044066130

2583 sats \ 2 replies \ @WeAreAllSatoshi 15 Mar

Rendering the filter query inside of HTML markup without being sanitized is my guess. All user input is evil

100 sats \ 1 reply \ @ek OP 15 Mar

Yes but it doesn’t sound like this should be missed by most bug hunters 🤔

The exploitation method showcased in this example is commonly overseen by most bug bounty hunters, as they’re not aware of the possibility to pass your malicious XSS payload in this different format!

0 sats \ 0 replies \ @WeAreAllSatoshi 15 Mar

Agree, it’s just the first thing that I saw

130 sats \ 0 replies \ @Aardvark 15 Mar

Maybe it has a really hard time talking about it's feelings?

100 sats \ 4 replies \ @ek OP 3 Apr

~~@remindme in 1 day to pay out the bounty~~

paid the bounty to #914079

0 sats \ 2 replies \ @WeAreAllSatoshi 3 Apr

I wonder if you will still get reminded about this, because I don't think strikethroughs cancel it out?

100 sats \ 1 reply \ @ek OP 3 Apr

Yeah I probably will but maybe the mention regexp on the server didn't register the mention because of the ~ in front and deleted the reminder, let's see lol

0 sats \ 0 replies \ @WeAreAllSatoshi 3 Apr

Yea I don’t recall. Maybe it followed a word boundary so it did cancel it. Keep me posted lol

0 sats \ 0 replies \ @WeAreAllSatoshi 3 Apr

Hey thanks!

35 sats \ 0 replies \ @optimism 15 Mar

IMG source with external URL can return something nasty like SVG

33 sats \ 0 replies \ @WeAreAllSatoshi 15 Mar

The other option I see would be a maliciously-entered product entry with a bad name that could result in XSS when rendered, but that’s also implies compromise to your product management API

1 sat \ 0 replies \ @freber_dev 16 Mar freebie

’’’echo "<p>You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>"; ’’’

0 sats \ 0 replies \ @freber_dev 16 Mar

echo "<p>You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>";

That code part gives the opportunity for malicious user to injects JavaScript code into the filter parameter (e.g., via a URL query string like ?filter=<script>alert('XSS')</script>), it would be executed in the browser because the input is not sanitized or escaped.

0 sats \ 0 replies \ @carter 15 Mar

if you make a array querystring instead of a dict you can control the indexes of the array http://example.com?filter[]=1&filter[]=2&filter[]=3