Created attachment 626536 [details] hackasaurus_xss_2_share friends.JPG User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5 Steps to reproduce: Hi, On http://www.hackasaurus.org/en-US/ I was creating a webpage to share it with my friends and what I have found XSS everywhere on the site. Actual results: I have found XSS in http://www.hackasaurus.org/en-US/goggles/ and nearly everyfield is vulnerable to XSS. I had publish a page and the URL is: http://poof.hksr.us/isqddggv When you will open the URL ... you will see the effect of XSS. Site allows user to share and to have Ninja powers ... and I have found XSS at every place. As an attachment you will see five to six different POC images of XSS.
I have five other screen-shots in case you will need. Thanks!
Group: mozilla-services-security → mozilla-confidential
Component: Web Site → Other
Product: Mozilla Services → Websites
QA Contact: website → other
Atul: Do you still own this site?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hi. Any update regarding this BUG?
I'm not sure I get this... you're taking the page, running a bookmarklet, making a copy of the page with your modifications. Your modified page can have modified code in it, yes -- that's the point of hackasaurus.
But Hackasaurus should not allowed modifications that contains illegal vectors or XSS vectors. Hackasaurus should accept legitimate vectors/HTML tags for page modifications & this is not the case, I think. Hackasaurus allows modifications & accept non-legitimate vectors as input at every-point. In general content publishing sites allows one to modify the page but one can only use legal vectors for modification & this is not the case with Hackasaurus.
Hackasaurus is a learning tool. One person's "illegal vector" is another person's "hack" -- knowledge gained. Atul: is this a bug or a feature?
Hi Daniel, Do you have confirmation from "Atul" about the issue? Thanks!
It's a feature, not a bug.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.