status.php xss bug

Question

status.php xss bug

fd1f opened this issue 3 years ago · comments

fd1f744993de14178e6c commented 3 years ago

there is a weird thing on status.php, i'm not the one who found it. for example, you could go to
https://brax.me/prod/status.php?a=<script>alert('hello');document.body.innerText = "world"</script>
and it would run the javascript without a care.

nicolas fritzges · Answer 1 · Sun Sep 12 2021 05:50:49 GMT+0800 (China Standard Time)

it truly is a xss.
payload used: https://brax.me/prod/status.php?a=%3Cscript%3Ealert(document.domain.concat(%22%5Cn%22).concat(window.origin))%3C/script%3E

Rob Braxman · Answer 2 · Sun Sep 12 2021 06:51:31 GMT+0800 (China Standard Time)

Thank you. It was a test file. It is not used. It has been deleted. Appreciated!

Rob Braxman · Answer 3 · Sun Sep 12 2021 06:51:56 GMT+0800 (China Standard Time)

File deleted