Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator

Reported on Jul 10th 2021

✍️ Description

An (almost) XSS exists in this repository that, if not for the WAF used on; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible.

🕵️‍♂️ Proof of Concept

  • Navigate to and generate an IP tracking URL.
  • Navigate to"><img src="YOUR_TRACKING_URL"/>
  • Notice how your IP was logged at

💥 Impact

As a result of this vulnerability, HTML markup can be injected onto, this is an insignificant issue due to the WAF in place that prevents this issue from being escalated to reflected XSS or the use of <meta> tags to redirect victims.

sidenote: The source code in the repository does not mitigate the reflected XSS issue, it is the WAF setup for that specific instance that mitigates the heightened risk; this is why I have reported the vulnerability as reflected XSS, because that is what exists in the source code of https://swiftyspiffy/twitch-token-generator.

We have contacted a member of the swiftyspiffy/twitch-token-generator team and are waiting to hear back 16 days ago
16 days ago

Hi, looking into this.

16 days ago

Added html escaping to error parameter. Should be fixed now. Thanks!

swiftyspiffy/twitch-token-generator maintainer validated this vulnerability 16 days ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
swiftyspiffy/twitch-token-generator maintainer confirmed that a fix has been merged on e0c209 16 days ago
The fix bounty has been dropped
Michael Rowley
16 days ago


Awesome, thanks for the quick patch!