Can you spot the XSS vulnerability? \ stacker news ~security

pull down to refresh

646 sats \ 17 comments \ @ek 15 Mar security

I am subscribed to the Intigriti newsletter and I was about to unsubscribe but then I saw that they included this section:

Hacking Time: Can you spot the XSS vulnerability?

XSS might be easy to find, or not.... Can you seem to spot the cross-site scripting (XSS) vulnerability in this code snippet?

The exploitation method showcased in this example is commonly overseen by most bug bounty hunters, as they’re not aware of the possibility to pass your malicious XSS payload in this different format!

2.5k sats for the first correct answer!

2,500 sats bounty

ek's bounties

view all past bounties

130 sats \ 0 replies \ @Aardvark 15 Mar

Maybe it has a really hard time talking about it's feelings?

54 sats \ 7 replies \ @carter 15 Mar

You can write a script tag into the page with a specially crafted filter? https://example.com/index.php?filter[<script>alert('Hacked')</script>]=value

0 sats \ 1 reply \ @carter 15 Mar

https://example.com/index.php?filter[category%3Cscript%3Ealert%28%27Ha]=value&filter[cked%27%29%3C%2Fscript%3E]=val

you can also break it up into multiple categories and url encode because $_GET handles that. this would look normal to the user in the ui rendering as You're currently filtering by "category"

I still dont know what they wouldn't see

0 sats \ 0 replies \ @sox 16 Mar

Yeah that 'oversee' part threw me off but it's the first thing you see ^^

0 sats \ 4 replies \ @Scroogey 15 Mar

deleted by author

0 sats \ 0 replies \ @ek OP 16 Mar

damn, can't access, returns 429 Too Many Requests currently

0 sats \ 0 replies \ @optimism 16 Mar

if that's so then @WeAreAllSatoshi got it right. But I agree with @ek, this is not something that would be missed by most bug hunters 😂

0 sats \ 0 replies \ @carter 15 Mar

i was gonna ask if the answer was already given... it did get me to signup for that newsletter. my tin foil hat assumed this post is an ad

0 sats \ 0 replies \ @nitter 15 Mar bot

https://xcancel.com/intigriti/status/1893240582044066130

35 sats \ 0 replies \ @optimism 15 Mar

IMG source with external URL can return something nasty like SVG

83 sats \ 2 replies \ @WeAreAllSatoshi 15 Mar

Rendering the filter query inside of HTML markup without being sanitized is my guess. All user input is evil

100 sats \ 1 reply \ @ek OP 15 Mar

Yes but it doesn’t sound like this should be missed by most bug hunters 🤔

The exploitation method showcased in this example is commonly overseen by most bug bounty hunters, as they’re not aware of the possibility to pass your malicious XSS payload in this different format!

0 sats \ 0 replies \ @WeAreAllSatoshi 15 Mar

Agree, it’s just the first thing that I saw

33 sats \ 0 replies \ @WeAreAllSatoshi 15 Mar

The other option I see would be a maliciously-entered product entry with a bad name that could result in XSS when rendered, but that’s also implies compromise to your product management API

1 sat \ 0 replies \ @freber_dev 16 Mar freebie

’’’echo "<p>You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>"; ’’’

0 sats \ 0 replies \ @freber_dev 16 Mar

echo "<p>You're currently filtering by "" . implode(", ", array_keys($product_filter)) . ""</p>";

That code part gives the opportunity for malicious user to injects JavaScript code into the filter parameter (e.g., via a URL query string like ?filter=<script>alert('XSS')</script>), it would be executed in the browser because the input is not sanitized or escaped.

0 sats \ 0 replies \ @carter 15 Mar

if you make a array querystring instead of a dict you can control the indexes of the array http://example.com?filter[]=1&filter[]=2&filter[]=3