Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generatorValid
An (almost) XSS exists in this repository that, if not for the WAF used on
https://twitchtokengenerator.com; would have resulted in reflected XSS.
Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible.
🕵️♂️ Proof of Concept
- Navigate to https://iplogger.org and generate an IP tracking URL.
- Navigate to
- Notice how your IP was logged at iplogger.org.
As a result of this vulnerability, HTML markup can be injected onto twitchtokengenerator.com, this is an insignificant issue due to the WAF in place that prevents this issue from being escalated to reflected XSS or the use of <meta> tags to redirect victims.
sidenote: The source code in the repository does not mitigate the reflected XSS issue, it is the WAF setup for that specific instance that mitigates the heightened risk; this is why I have reported the vulnerability as reflected XSS, because that is what exists in the source code of