I had a website owner reply with:
"What am I suppose to understand? All your URL does is show "OPENBUGBOUNTY" in a window. What's your point?"
While I can paste him some links and explain what XSS, what would you say if you were asked? What wording would ensure it gets patched? How do I convince them that this is important and should be fixed?
Much apprecaited
How to convince website owners that XSS should be fixed?
- CoolCanuck97
- Posts:34
- Joined:Sun Jun 12, 2016 11:07 pm
Site Username: CoolCanuck
Re: How to convince website owners that XSS should be fixed?
I normally try following.
1) Provide link on OWASP for explanation and top 10 web threats.
https://www.owasp.org/index.php/Cross-s ... ting_(XSS)
https://www.owasp.org/index.php/Top_10-2017_Top_10
2) Provide a thought experiment.
1) Provide link on OWASP for explanation and top 10 web threats.
https://www.owasp.org/index.php/Cross-s ... ting_(XSS)
https://www.owasp.org/index.php/Top_10-2017_Top_10
2) Provide a thought experiment.
- Embed the vulnerable link (here [vulnerable site] with injected payload) in other malicious site, advertisement or as phishing link in email. The injected payload contains script to redirection to a lookalike site of vulnerable site.
- Subject clicks on the link.
- Link redirects to trusted site (here [vulnerable site]) which in turn redirects to malicious site.
Who is online
Users browsing this forum: No registered users and 2 guests