reply on: Can you spot the XSS vulnerability? \ stacker news ~security

pull down to refresh

54 sats \ 7 replies \ @carter 15 Mar \ on: Can you spot the XSS vulnerability? security

You can write a script tag into the page with a specially crafted filter? https://example.com/index.php?filter[<script>alert('Hacked')</script>]=value

0 sats \ 1 reply \ @carter 15 Mar

https://example.com/index.php?filter[category%3Cscript%3Ealert%28%27Ha]=value&filter[cked%27%29%3C%2Fscript%3E]=val

you can also break it up into multiple categories and url encode because $_GET handles that. this would look normal to the user in the ui rendering as You're currently filtering by "category"

I still dont know what they wouldn't see

0 sats \ 0 replies \ @sox 16 Mar

Yeah that 'oversee' part threw me off but it's the first thing you see ^^

0 sats \ 4 replies \ @Scroogey 15 Mar

deleted by author

0 sats \ 0 replies \ @ek OP 16 Mar

damn, can't access, returns 429 Too Many Requests currently

0 sats \ 0 replies \ @optimism 16 Mar

if that's so then @WeAreAllSatoshi got it right. But I agree with @ek, this is not something that would be missed by most bug hunters 😂

0 sats \ 0 replies \ @carter 15 Mar

i was gonna ask if the answer was already given... it did get me to signup for that newsletter. my tin foil hat assumed this post is an ad

0 sats \ 0 replies \ @nitter 15 Mar bot

https://xcancel.com/intigriti/status/1893240582044066130