Cross-site Scripting (XSS) - Reflected in thecoshman/http


Reported on

May 12th 2021

✍️ Description

The web server is vulnerable to Cross-site scripting. An attacker can host a file with an XSS payload as the file name. When a user visits the web server address, the javascript will be executed in the browser.

This is due to improper sanitization.

🕵️‍♂️ Proof of Concept

- Create a file with filename - `<img src=x onerror=alert(document.domain)>`
- Start the web server (
- Visit the web address (port 8000 by default)

The javascript will be executed and you'll see an alert box pop up.

Image PoC -

💥 Impact

This vulnerability is capable of making an attacker execute javascript code inside the victim browsers.

to join this conversation