Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator


Reported on

Jul 10th 2021

✍️ Description

An (almost) XSS exists in this repository that, if not for the WAF used on; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible.

🕵️‍♂️ Proof of Concept

  • Navigate to and generate an IP tracking URL.
  • Navigate to"><img src="YOUR_TRACKING_URL"/>
  • Notice how your IP was logged at

💥 Impact

As a result of this vulnerability, HTML markup can be injected onto, this is an insignificant issue due to the WAF in place that prevents this issue from being escalated to reflected XSS or the use of <meta> tags to redirect victims.

sidenote: The source code in the repository does not mitigate the reflected XSS issue, it is the WAF setup for that specific instance that mitigates the heightened risk; this is why I have reported the vulnerability as reflected XSS, because that is what exists in the source code of https://swiftyspiffy/twitch-token-generator.


We have contacted a member of the swiftyspiffy/twitch-token-generator team and are waiting to hear back a year ago
a year ago

Hi, looking into this.

a year ago

Added html escaping to error parameter. Should be fixed now. Thanks!

swiftyspiffy/twitch-token-generator maintainer validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
swiftyspiffy/twitch-token-generator maintainer marked this as fixed with commit e0c209 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Michael Rowley
a year ago


Awesome, thanks for the quick patch!

to join this conversation