Giffgaff.com reflective XSS (Unreportable) -_-

[Lewis]

https://www.giffgaff.com/auth/signup

manually type "><svg/onload=prompt(document.domain)> into the email field and you'll get a popup; couldnt find a relevant header to report after some time searching; could you pls try manually approve it or? ;/

[x1admin]

please use https://www.xssposed.org/report/ for report

[Lewis]

reported it; please could ya manually submit as it didnt work last time; thanks.

[x1admin]

provide us any solution how this xss can be exploited against other users

[Lewis]

half the post based reflective xss reports on search functions are useless on this forum; this one equally as useless and just requires the same principles but without actually hitting enter on your keyboard and sending the request; whether or not it can be used against others isnt relevant if you're accepting post based reflective xss's which are also useless ._.

[Spam404Online]

half the post based reflective xss reports on search functions are useless on this forum; this one equally as useless and just requires the same principles but without actually hitting enter on your keyboard and sending the request; whether or not it can be used against others isnt relevant if you're accepting post based reflective xss's which are also useless ._.

I wouldn't call POST method XSS useless. It can be achieved without user interaction. See - http://hackers2devnull.blogspot.co.uk/2 ... ently.html

If the vulnerability you've found here can be achieved in a similar fashion I do believe it should be accepted though and more importantly, fixed by giffgaff.

[Lewis]

I agree, however even if it cant be achieved in the same manner it should at least be accepted; its basically just utilizing ajax instead of a user actually hitting enter and submitting a post request; no reason why this should be treated to any others imo

Please submit mr admino

[mradamdavies]

provide us any solution how this xss can be exploited against other users

^Agreed.


Same example, different domain: http://uktvplay.uktv.co.uk
Copy/Pasta works, but end point is blocked so exploitation isn't possible.

You can't say a site is exploitable if you have to manually enter the PoC from the target's computer. If a _GET or _POST doesn't work, it's not vuln. Unless you get a virus on the "victim" and force them to manually type the PoC with malware, it's not an exploit. Nice reflective, but no dice.

[vdvcoder]

provide us any solution how this xss can be exploited against other users

^Agreed.


Same example, different domain: http://uktvplay.uktv.co.uk
Copy/Pasta works, but end point is blocked so exploitation isn't possible.

You can't say a site is exploitable if you have to manually enter the PoC from the target's computer. If a _GET or _POST doesn't work, it's not vuln. Unless you get a virus on the "victim" and force them to manually type the PoC with malware, it's not an exploit. Nice reflective, but no dice.

Good to know! Thank u!