Reflective Xss in codepen.io
This time i thought to looking for the xss in the codepen.io ,so i created a account on codepen.io
There was a project page where user submit projects and you can comment on their project
so i thought at first glance why not look for xss as there is a comment box and there might be any escape char which will help me.
About Reflective xss:
it is a type of xss through which a attcker can leverage a client side attack using client side code which gets reflected in the page.
why this happens?
beacuse there is no proper santization in the place.
here is the poc:
1. go to https://codepen.io/<username>/project/details/AVGOPD/
2.add the following payload /*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"/-alert(1)//><img src=1 onerror=alert(1)>'
3.now change "src=1"with your image u wanna show like i did
3.now it reflects in the page as here in the image below
you can create a csrf with the reflective xss which leads to a popup "1" or whatever you payload is.
unfortunately i sended them the poc combined with csrf but unfortunately they said it is not in scope.
so i released it.
There was a project page where user submit projects and you can comment on their project
so i thought at first glance why not look for xss as there is a comment box and there might be any escape char which will help me.
About Reflective xss:
it is a type of xss through which a attcker can leverage a client side attack using client side code which gets reflected in the page.
why this happens?
beacuse there is no proper santization in the place.
here is the poc:
1. go to https://codepen.io/<username>/project/details/AVGOPD/
2.add the following payload /*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"/-alert(1)//><img src=1 onerror=alert(1)>'
3.now change "src=1"with your image u wanna show like i did
3.now it reflects in the page as here in the image below
you can create a csrf with the reflective xss which leads to a popup "1" or whatever you payload is.
unfortunately i sended them the poc combined with csrf but unfortunately they said it is not in scope.
so i released it.
Comments
Post a Comment