Submissions for chase.com and mcafee.com
when will they be approved?
Re: Submissions for chase.com and mcafee.com
thanks, what about XSS in *.worldbank.org (need to click 'here' to trigger) and XSS in *.hsbc.com?
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submissions for chase.com and mcafee.com
Does the Mcafee and Chase one leverage the open redirect?
Just wondering since I submitted open redirects for both domains you found.
Looks like a pattern here -
Just wondering since I submitted open redirects for both domains you found.
Looks like a pattern here -
Last edited by Spam404Online on Thu Jan 07, 2016 8:52 am, edited 1 time in total.
Re: Submissions for chase.com and mcafee.com
Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submissions for chase.com and mcafee.com
So they're basically duplicates of mine?ret2libc wrote:Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
Or should I go through and do this for all the open redirects I submitted?
Re: Submissions for chase.com and mcafee.com
if redirect via js we accept xss
Re: Submissions for chase.com and mcafee.com
Spam404Online wrote:So they're basically duplicates of mine?ret2libc wrote:Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
Or should I go through and do this for all the open redirects I submitted?
well i wasnt aware you'd even found redirects in the same sites lol, anyone who does site:chase.com inurl:url=http can find those easily tho.
but yes in future you should attempt redirecting to a data: uri assuming it doesn't throw a corrupted content error
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submissions for chase.com and mcafee.com
Interesting though since it's arguably not an XSS vulnerability on the website.x1admin wrote:if redirect via js we accept xss
I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.
Who is online
Users browsing this forum: No registered users and 2 guests