status.php xss bug
fd1f opened this issue · comments
fd1f744993de14178e6c commented
there is a weird thing on status.php, i'm not the one who found it. for example, you could go to
https://brax.me/prod/status.php?a=<script>alert('hello');document.body.innerText = "world"</script>
and it would run the javascript without a care.
nicolas fritzges commented
it truly is a xss.
payload used: https://brax.me/prod/status.php?a=%3Cscript%3Ealert(document.domain.concat(%22%5Cn%22).concat(window.origin))%3C/script%3E
Rob Braxman commented
Thank you. It was a test file. It is not used. It has been deleted. Appreciated!
Rob Braxman commented
File deleted