Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

【Bug Bounty 阅读笔记】【hackerone】 imgur XSS #484434

wpadmin~March 11, 2019 /InfoSec

Hackerone 报告阅读笔记 imgur XSS #484434

报告笔记

首先注意到服务端会对 <> 进行过滤。
不过 Gid Sumaya (giddsec) 发现可以通过对 <, > HTML 实体编码绕过 过滤防御机制。

一个有效的 payload 如下

"/><script>alert(1)</script>"/>
"/><script>alert(1)</script>"/>

参考资料

https://hackerone.com/reports/484434#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.