Hi,
another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
xssposed text on alerts
Re: xssposed text on alerts
This is a good idea to implement. We will think how to implement it.
Re: xssposed text on alerts
adding onto this, couldn't a webadmin just search for alert/prompt/confirm instead?
there are always going to be companies who don't want to acknowledge researchers..
there are always going to be companies who don't want to acknowledge researchers..
Re: xssposed text on alerts
After internal discussion, we decided not to implement this now.
We don't change our verification IPs, we keep the same payload strings and we encourage researchers using real names in their profiles.
We are an open, transparent and user-friendly community. If someone wants so hard to keep his website vulnerable - this is his problem and responsibility (but so far, we have very very few cases like this).
We don't change our verification IPs, we keep the same payload strings and we encourage researchers using real names in their profiles.
We are an open, transparent and user-friendly community. If someone wants so hard to keep his website vulnerable - this is his problem and responsibility (but so far, we have very very few cases like this).
- mcurietribute
- Posts:19
- Joined:Sun Aug 27, 2017 5:01 pm
Re: xssposed text on alerts
tbmnull wrote: ↑Mon Mar 28, 2016 6:42 amHi,
another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
Code: Select all
<?php
echo(str_replace("openbugbounty", rtrim(base64_encode(md5(microtime())), "="), htmlentities("https://google.com/?q=<script>alert('openbugbounty')</script>")));
?>
But as someone else has stated, admins would be able to search for alert, prompt, and confirm to find the vulnerability in order to resolve the issue.
Re: xssposed text on alerts
Can anyone help I found a site vulnerable to reflected XSS but the browser does not support javascript, is there any way to bypass or get pass the browsers logic?
Who is online
Users browsing this forum: Google [Bot] and 2 guests