Giffgaff.com reflective XSS (Unreportable) -_-
https://www.giffgaff.com/auth/signup
manually type "><svg/onload=prompt(document.domain)> into the email field and you'll get a popup; couldnt find a relevant header to report after some time searching; could you pls try manually approve it or? ;/
manually type "><svg/onload=prompt(document.domain)> into the email field and you'll get a popup; couldnt find a relevant header to report after some time searching; could you pls try manually approve it or? ;/
Re: Giffgaff.com reflective XSS (Unreportable) -_-
please use https://www.xssposed.org/report/ for report
Re: Giffgaff.com reflective XSS (Unreportable) -_-
reported it; please could ya manually submit as it didnt work last time; thanks.
Re: Giffgaff.com reflective XSS (Unreportable) -_-
provide us any solution how this xss can be exploited against other users
Re: Giffgaff.com reflective XSS (Unreportable) -_-
half the post based reflective xss reports on search functions are useless on this forum; this one equally as useless and just requires the same principles but without actually hitting enter on your keyboard and sending the request; whether or not it can be used against others isnt relevant if you're accepting post based reflective xss's which are also useless ._.
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Giffgaff.com reflective XSS (Unreportable) -_-
I wouldn't call POST method XSS useless. It can be achieved without user interaction. See - http://hackers2devnull.blogspot.co.uk/2 ... ently.htmlLewis wrote:half the post based reflective xss reports on search functions are useless on this forum; this one equally as useless and just requires the same principles but without actually hitting enter on your keyboard and sending the request; whether or not it can be used against others isnt relevant if you're accepting post based reflective xss's which are also useless ._.
If the vulnerability you've found here can be achieved in a similar fashion I do believe it should be accepted though and more importantly, fixed by giffgaff.
Re: Giffgaff.com reflective XSS (Unreportable) -_-
I agree, however even if it cant be achieved in the same manner it should at least be accepted; its basically just utilizing ajax instead of a user actually hitting enter and submitting a post request; no reason why this should be treated to any others imo
Please submit mr admino
Please submit mr admino
- mradamdavies
- Posts:29
- Joined:Wed Nov 25, 2015 3:00 pm
- Contact:
Re: Giffgaff.com reflective XSS (Unreportable) -_-
^Agreed.x1admin wrote:provide us any solution how this xss can be exploited against other users
Same example, different domain: http://uktvplay.uktv.co.uk
Copy/Pasta works, but end point is blocked so exploitation isn't possible.
You can't say a site is exploitable if you have to manually enter the PoC from the target's computer. If a _GET or _POST doesn't work, it's not vuln. Unless you get a virus on the "victim" and force them to manually type the PoC with malware, it's not an exploit. Nice reflective, but no dice.
Re: Giffgaff.com reflective XSS (Unreportable) -_-
Good to know! Thank u!mradamdavies wrote:^Agreed.x1admin wrote:provide us any solution how this xss can be exploited against other users
Same example, different domain: http://uktvplay.uktv.co.uk
Copy/Pasta works, but end point is blocked so exploitation isn't possible.
You can't say a site is exploitable if you have to manually enter the PoC from the target's computer. If a _GET or _POST doesn't work, it's not vuln. Unless you get a virus on the "victim" and force them to manually type the PoC with malware, it's not an exploit. Nice reflective, but no dice.
Who is online
Users browsing this forum: No registered users and 2 guests