Questions or suggestions about the platform
-
tbmnull
- Posts:184
- Joined:Wed Dec 02, 2015 7:38 am
xssposed text on alerts
Post
by tbmnull » Mon Mar 28, 2016 6:42 am
Hi,
another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
-
x1admin
- Site Admin
- Posts:3110
- Joined:Sun Nov 15, 2015 7:04 pm
Post
by x1admin » Tue Mar 29, 2016 1:03 pm
This is a good idea to implement. We will think how to implement it.
-
0x0luke
- Posts:29
- Joined:Sat Feb 25, 2017 12:31 am
Post
by 0x0luke » Fri Apr 07, 2017 5:12 pm
adding onto this, couldn't a webadmin just search for alert/prompt/confirm instead?
there are always going to be companies who don't want to acknowledge researchers..
-
x1admin
- Site Admin
- Posts:3110
- Joined:Sun Nov 15, 2015 7:04 pm
Post
by x1admin » Mon Jul 31, 2017 4:50 am
After internal discussion, we decided not to implement this now.
We don't change our verification IPs, we keep the same payload strings and we encourage researchers using real names in their profiles.
We are an open, transparent and user-friendly community. If someone wants so hard to keep his website vulnerable - this is his problem and responsibility (but so far, we have very very few cases like this).
-
mcurietribute
- Posts:20
- Joined:Sun Aug 27, 2017 5:01 pm
Post
by mcurietribute » Fri Oct 13, 2017 1:22 am
tbmnull wrote: ↑Mon Mar 28, 2016 6:42 am
Hi,
another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
Code: Select all
<?php
echo(str_replace("openbugbounty", rtrim(base64_encode(md5(microtime())), "="), htmlentities("https://google.com/?q=<script>alert('openbugbounty')</script>")));
?>
I've actually found companies that does this, it's rather rude, inconsiderate, and selfish in my opinion.
But as someone else has stated, admins would be able to search for alert, prompt, and confirm to find the vulnerability in order to resolve the issue.
Who is online
Users browsing this forum: No registered users and 2 guests
