Submissions for chase.com and mcafee.com

Questions or requests about submissions
Lewis
Posts:20
Joined:Tue Nov 24, 2015 2:13 pm
Re: Submissions for chase.com and mcafee.com

Post by Lewis » Tue Jan 05, 2016 11:49 am

Spam404Online wrote:
x1admin wrote:if redirect via js we accept xss
Interesting though since it's arguably not an XSS vulnerability on the website.

I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.
As long as you can redirect it to a uri instead of an actual website i'd class this as xss, theres a reason google hasn't patched the open redirect vulns on their site because it doesnt allow a redirect to data: or a javascript: url
:ugeek:

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: Submissions for chase.com and mcafee.com

Post by ret2libc » Tue Jan 05, 2016 2:05 pm

Spam404Online wrote:
x1admin wrote:if redirect via js we accept xss
Interesting though since it's arguably not an XSS vulnerability on the website.

I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.
OWASP considers it as XSS.
Also you're saying this like its a bad thing that someone would be prompted to patch an open redirect.


Spam404Online
Posts:296
Joined:Mon Nov 23, 2015 6:43 pm
Contact:

Re: Submissions for chase.com and mcafee.com

Post by Spam404Online » Tue Jan 05, 2016 5:57 pm

Lewis wrote:As long as you can redirect it to a uri instead of an actual website i'd class this as xss, theres a reason google hasn't patched the open redirect vulns on their site because it doesnt allow a redirect to data: or a javascript: url
That's a good example with Google. I guess I see why they're considered XSS :)

ret2libc wrote:OWASP considers it as XSS.
Also you're saying this like its a bad thing that someone would be prompted to patch an open redirect.
That's not what I'm saying. I simply meant if the open redirects were patched with validation etc it would inadvertently patch the XSS vulnerability too :)

But, thanks for sharing the OWASP links and like I said to Lewis, I can now see why they're considered XSS. I'm fairly new to app sec so discussions like this are very beneficial for me!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests