Submissions for chase.com and mcafee.com

Questions or requests about submissions
ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am
Submissions for chase.com and mcafee.com

Post by ret2libc » Sun Jan 03, 2016 12:02 am

when will they be approved? :)

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: Submissions for chase.com and mcafee.com

Post by x1admin » Sun Jan 03, 2016 9:23 am

approved

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: Submissions for chase.com and mcafee.com

Post by ret2libc » Sun Jan 03, 2016 2:01 pm

thanks, what about XSS in *.worldbank.org (need to click 'here' to trigger) and XSS in *.hsbc.com?

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: Submissions for chase.com and mcafee.com

Post by x1admin » Sun Jan 03, 2016 2:52 pm

approved

Spam404Online
Posts:296
Joined:Mon Nov 23, 2015 6:43 pm
Contact:

Re: Submissions for chase.com and mcafee.com

Post by Spam404Online » Sun Jan 03, 2016 7:09 pm

Does the Mcafee and Chase one leverage the open redirect?

Just wondering since I submitted open redirects for both domains you found.

Looks like a pattern here -
Image
Image
Image
Image
Last edited by Spam404Online on Thu Jan 07, 2016 8:52 am, edited 1 time in total.

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: Submissions for chase.com and mcafee.com

Post by ret2libc » Sun Jan 03, 2016 9:53 pm

Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input

Spam404Online
Posts:296
Joined:Mon Nov 23, 2015 6:43 pm
Contact:

Re: Submissions for chase.com and mcafee.com

Post by Spam404Online » Mon Jan 04, 2016 1:16 am

ret2libc wrote:Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
So they're basically duplicates of mine? :D

Or should I go through and do this for all the open redirects I submitted?

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: Submissions for chase.com and mcafee.com

Post by x1admin » Mon Jan 04, 2016 10:33 am

if redirect via js we accept xss

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: Submissions for chase.com and mcafee.com

Post by ret2libc » Mon Jan 04, 2016 12:19 pm

Spam404Online wrote:
ret2libc wrote:Thanks @admin
And yep it's leveraging a redirect via a data: uri w/ b64 encoded input
So they're basically duplicates of mine? :D

Or should I go through and do this for all the open redirects I submitted?


well i wasnt aware you'd even found redirects in the same sites lol, anyone who does site:chase.com inurl:url=http can find those easily tho.
but yes in future you should attempt redirecting to a data: uri assuming it doesn't throw a corrupted content error

Spam404Online
Posts:296
Joined:Mon Nov 23, 2015 6:43 pm
Contact:

Re: Submissions for chase.com and mcafee.com

Post by Spam404Online » Mon Jan 04, 2016 8:40 pm

x1admin wrote:if redirect via js we accept xss
Interesting though since it's arguably not an XSS vulnerability on the website.

I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests