WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

753

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

https://www.google.com/ <script>alert("hello");</script> <a href="https://www.yahoo.com">link</a>

(post is archived)

[–] 3 pts

The first thing you do when you show up is you try to troll and rile up people... the second thing you do is attempt to test if you can perform a XSS attack on the front end? Yes I am sure you had the best intentions in mind. You were just helpfully testing the security of the site, yeah. No way you were thinking about trying to doxx all of the users here by forcing the execution of your own script file. No... I am sue your intentions were pure and just.

[–] 0 pt

actually i do that on any site i join and I usually report what i find to the site admins. e.g. i have found one small security hole on peteyvid.com and reported it and they fixed it in a few days.

believe me or not, i am just trying to be helpful.

the trolling thing was more of a test how the site works since i am not a very creative person, it thought i write what i read about the site before joining. as i have not yet been blocked it seems that the site is really allowing some bullshit, so it is interesting

[–] 0 pt

The funny thing is that he came right to one of my subs to do just that @AOU

...

@asdf_1111

What's your take on that, pissant?

[–] 0 pt

that was the first sub in the list since it starts with 0

[–] 0 pt

They all say that

[–] 0 pt

I think I have found something, now i just have to figure out how issue reporting works for the site

[–] 0 pt

Are your saying this user has malicious intents?

[–] 1 pt

ok, that looks like it is reasonably secure

[–] 2 pts

Sir, I am being very sorry to tell you that the test has indeed been failed. Please do the needful.

[–] 0 pt

i think it worked, the javascript did not leak

[–] 0 pt

You mean you failed like a piece of utter shit

Stop pretending you are anything but a piece of shit, everybody knows you're a piece of shit

The oldest script test in the world that never works anymore because people figured out how to safely store code in the DB decades ago

[–] 0 pt

that is not really DB stuff, that is Javascript stuff.

DB stuff would be something like

";drop users; --

It is DB stuff because anything put into the DB eventually gets taken out and it needs to be translated into safe information before deposit. Yes there is script handing on removal

[–] 0 pt

ok, you are right, that is stored xss

i remember that from a forum i ran as part of my job years ago, we found an xss bug in the php code and fixing it was difficult because it required rewriting all database entries to fix it. so we changed it to encode on the output and that was much easier and did not require any database encoding.

[–] 0 pt

and it is interesting how often that still works in a current website if it is new. i did a test on a portal maybe start of this year when I joined it and it worked to search for a XSS string in the search function and it would write out the title of the resulting web pages with the XSS code and would be vulnerable. i reported to the site admin and he fixed it in 1 day or 2