Page 1 of 1

xssposed text on alerts

Posted: Mon Mar 28, 2016 6:42 am
by tbmnull
Hi,

another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
:D :roll:

Re: xssposed text on alerts

Posted: Tue Mar 29, 2016 1:03 pm
by x1admin
This is a good idea to implement. We will think how to implement it.

Re: xssposed text on alerts

Posted: Fri Apr 07, 2017 5:12 pm
by 0x0luke
adding onto this, couldn't a webadmin just search for alert/prompt/confirm instead?

there are always going to be companies who don't want to acknowledge researchers..

Re: xssposed text on alerts

Posted: Mon Jul 31, 2017 4:50 am
by x1admin
After internal discussion, we decided not to implement this now.

We don't change our verification IPs, we keep the same payload strings and we encourage researchers using real names in their profiles.

We are an open, transparent and user-friendly community. If someone wants so hard to keep his website vulnerable - this is his problem and responsibility (but so far, we have very very few cases like this).

Re: xssposed text on alerts

Posted: Fri Oct 13, 2017 1:22 am
by mcurietribute
tbmnull wrote:
Mon Mar 28, 2016 6:42 am
Hi,

another solution for XSSPOSED text on alert/confirm/prompt boxes.
as we know vendors can easily find this text on logs, so they can patch without any credit to researcher (nor thanks)
so, my suggestion is, before researcher submit an xss, maybe xssposed can give him a secret random phrase for alerting it. then researcher uses that phrase instead of XSSPOSED. or there may be random + XSSPOSED + random, you decide. and xssposed can check it, if it is valid then approves.
:D :roll:

Code: Select all

<?php
	echo(str_replace("openbugbounty", rtrim(base64_encode(md5(microtime())), "="), htmlentities("https://google.com/?q=<script>alert('openbugbounty')</script>")));
?>
I've actually found companies that does this, it's rather rude, inconsiderate, and selfish in my opinion.

But as someone else has stated, admins would be able to search for alert, prompt, and confirm to find the vulnerability in order to resolve the issue.

Re: xssposed text on alerts

Posted: Tue Oct 24, 2023 10:05 pm
by Z3n
Can anyone help I found a site vulnerable to reflected XSS but the browser does not support javascript, is there any way to bypass or get pass the browsers logic? :?: