Closed
Bug 757947
Opened 12 years ago
Closed 12 years ago
Cross-Site Scripting (XSS) in http://www.hackasaurus.org/en-US/
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: justashar, Unassigned)
References
()
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5 Steps to reproduce: Hi, On http://www.hackasaurus.org/en-US/ I was creating a webpage to share it with my friends and what I have found XSS everywhere on the site. Actual results: I have found XSS in http://www.hackasaurus.org/en-US/goggles/ and nearly everyfield is vulnerable to XSS. I had publish a page and the URL is: http://poof.hksr.us/isqddggv When you will open the URL ... you will see the effect of XSS. Site allows user to share and to have Ninja powers ... and I have found XSS at every place. As an attachment you will see five to six different POC images of XSS.
Reporter | ||
Comment 1•12 years ago
|
||
I have five other screen-shots in case you will need. Thanks!
Updated•12 years ago
|
Group: mozilla-services-security → mozilla-confidential
Component: Web Site → Other
Product: Mozilla Services → Websites
QA Contact: website → other
Reporter | ||
Comment 2•12 years ago
|
||
Comment 3•12 years ago
|
||
Atul: Do you still own this site?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 5•12 years ago
|
||
Hi. Any update regarding this BUG?
Comment 6•12 years ago
|
||
I'm not sure I get this... you're taking the page, running a bookmarklet, making a copy of the page with your modifications. Your modified page can have modified code in it, yes -- that's the point of hackasaurus.
Reporter | ||
Comment 7•12 years ago
|
||
But Hackasaurus should not allowed modifications that contains illegal vectors or XSS vectors. Hackasaurus should accept legitimate vectors/HTML tags for page modifications & this is not the case, I think. Hackasaurus allows modifications & accept non-legitimate vectors as input at every-point. In general content publishing sites allows one to modify the page but one can only use legal vectors for modification & this is not the case with Hackasaurus.
Comment 8•12 years ago
|
||
Hackasaurus is a learning tool. One person's "illegal vector" is another person's "hack" -- knowledge gained. Atul: is this a bug or a feature?
Reporter | ||
Comment 9•12 years ago
|
||
Hi Daniel, Do you have confirmation from "Atul" about the issue? Thanks!
Comment 10•12 years ago
|
||
It's a feature, not a bug.
Updated•12 years ago
|
Group: mozilla-confidential
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Updated•12 years ago
|
Resolution: WORKSFORME → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•