How to convince website owners that XSS should be fixed?

Your experience of helping website owners
Post Reply
User avatar
CoolCanuck97
Posts:34
Joined:Sun Jun 12, 2016 11:07 pm
How to convince website owners that XSS should be fixed?

Post by CoolCanuck97 » Mon Feb 12, 2018 5:39 am

I had a website owner reply with:
"What am I suppose to understand? All your URL does is show "OPENBUGBOUNTY" in a window. What's your point?"

While I can paste him some links and explain what XSS, what would you say if you were asked? What wording would ensure it gets patched? How do I convince them that this is important and should be fixed?

Much apprecaited
Site Username: CoolCanuck

npuser500
Posts:141
Joined:Sun Mar 13, 2016 2:14 am

Re: How to convince website owners that XSS should be fixed?

Post by npuser500 » Mon Feb 12, 2018 5:44 pm

I normally try following.
1) Provide link on OWASP for explanation and top 10 web threats.
https://www.owasp.org/index.php/Cross-s ... ting_(XSS)
https://www.owasp.org/index.php/Top_10-2017_Top_10
2) Provide a thought experiment.
  • Embed the vulnerable link (here [vulnerable site] with injected payload) in other malicious site, advertisement or as phishing link in email. The injected payload contains script to redirection to a lookalike site of vulnerable site.
  • Subject clicks on the link.
  • Link redirects to trusted site (here [vulnerable site]) which in turn redirects to malicious site.
3) In one case, I provided example of redirection to facebook (instead of prompt) with xss and explained it could be have been any other malicious site to steal password or credit card.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests