xssposed text on alerts

Questions or suggestions about the platform
Post Reply
tbmnull
Posts:184
Joined:Wed Dec 02, 2015 7:38 am
xssposed text on alerts

Post by tbmnull » Mon Mar 28, 2016 6:42 am

Hi,

another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
:D :roll:

User avatar
x1admin
Site Admin
Posts:3110
Joined:Sun Nov 15, 2015 7:04 pm

Re: xssposed text on alerts

Post by x1admin » Tue Mar 29, 2016 1:03 pm

This is a good idea to implement. We will think how to implement it.

0x0luke
Posts:29
Joined:Sat Feb 25, 2017 12:31 am

Re: xssposed text on alerts

Post by 0x0luke » Fri Apr 07, 2017 5:12 pm

adding onto this, couldn't a webadmin just search for alert/prompt/confirm instead?

there are always going to be companies who don't want to acknowledge researchers..

User avatar
x1admin
Site Admin
Posts:3110
Joined:Sun Nov 15, 2015 7:04 pm

Re: xssposed text on alerts

Post by x1admin » Mon Jul 31, 2017 4:50 am

After internal discussion, we decided not to implement this now.

We don't change our verification IPs, we keep the same payload strings and we encourage researchers using real names in their profiles.

We are an open, transparent and user-friendly community. If someone wants so hard to keep his website vulnerable - this is his problem and responsibility (but so far, we have very very few cases like this).

User avatar
mcurietribute
Posts:20
Joined:Sun Aug 27, 2017 5:01 pm

Re: xssposed text on alerts

Post by mcurietribute » Fri Oct 13, 2017 1:22 am

tbmnull wrote:
Mon Mar 28, 2016 6:42 am
Hi,

another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
:D :roll:

Code: Select all

<?php
	echo(str_replace("openbugbounty", rtrim(base64_encode(md5(microtime())), "="), htmlentities("https://google.com/?q=<script>alert('openbugbounty')</script>")));
?>
I've actually found companies that does this, it's rather rude, inconsiderate, and selfish in my opinion.

But as someone else has stated, admins would be able to search for alert, prompt, and confirm to find the vulnerability in order to resolve the issue.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests