Cross-site Scripting (XSS) - Reflected in dmpop/mejiro
Oct 13th 2021
From OWASP : : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
This report is a bypass of this report
Proof of Concept
Impacted GET variable :
- Cookie theft: Stealing the victim's cookie in order to access their account;
- Phishing: Rewriting the DOM of the page or redirecting the victim to a malicious site;
- Screenshot: Use HTML5 features to make a screenshot of the page from victim PoV;
I'm too stupid to figure out how to fix the code. Any suggestion will be greatly appreciated.
Hi, I've joined a fix with the report :)
In case you don't see it : https://github.com/dmpop/mejiro/compare/HEAD...joshuamart:fix_xss
Ah! I've merged your changes into my repo. Thank you so much for your help!
@admin As seen with Dmitri Popov the 0$ bounty is a mistake but he doesn't know how to change it, not having this point of view I can't help him, can you please tell him? thank's
@maintainer - can you please confirm you are happy to reward the full disclosure bounty?
@admin Yes, I confirm that I'd like to reward the full disclosure bounty.
Sorted! ♥️ 💰
Thank's guys :)