Cross-Site Scripting (XSS) in http://www.hackasaurus.org/en-US/

RESOLVED INVALID

Status

Websites
Other
RESOLVED INVALID
6 years ago
5 years ago

People

(Reporter: Ashar Javed, Unassigned)

Tracking

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 626536 [details]
hackasaurus_xss_2_share friends.JPG

User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5

Steps to reproduce:

Hi,

On http://www.hackasaurus.org/en-US/ I was creating a webpage to share it with my friends and what I have found XSS everywhere on the site. 


Actual results:

I have found XSS in http://www.hackasaurus.org/en-US/goggles/ and nearly everyfield is vulnerable to XSS. I had publish a page and the URL is:

http://poof.hksr.us/isqddggv

When you will open the URL ... you will see the effect of XSS. Site allows user to share and to have Ninja powers ... and I have found XSS at every place. As an attachment you will see five to six different POC images of XSS.
(Reporter)

Comment 1

6 years ago
I have five other screen-shots in case you will need. Thanks!

Updated

6 years ago
Group: mozilla-services-security → mozilla-confidential
Component: Web Site → Other
Product: Mozilla Services → Websites
QA Contact: website → other
(Reporter)

Comment 2

6 years ago
Created attachment 626548 [details]
When some-one click on publish then XSS pop-up appears

Comment 3

6 years ago
Atul: Do you still own this site?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 5

6 years ago
Hi. Any update regarding this BUG?
I'm not sure I get this... you're taking the page, running a bookmarklet, making a copy of the page with your modifications. Your modified page can have modified code in it, yes -- that's the point of hackasaurus.
(Reporter)

Comment 7

6 years ago
But Hackasaurus should not allowed modifications that contains illegal vectors or XSS vectors. Hackasaurus should accept legitimate vectors/HTML tags for page modifications & this is not the case, I think. Hackasaurus allows modifications & accept non-legitimate vectors as input at every-point. In general content publishing sites allows one to modify the page but one can only use legal vectors for modification & this is not the case with Hackasaurus.
Hackasaurus is a learning tool. One person's "illegal vector" is another person's "hack" -- knowledge gained.

Atul: is this a bug or a feature?
(Reporter)

Comment 9

6 years ago
Hi Daniel,

Do you have confirmation from "Atul" about the issue? Thanks!

Comment 10

6 years ago
It's a feature, not a bug.
Group: mozilla-confidential
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → INVALID

Updated

5 years ago
Blocks: 836522
You need to log in before you can comment on or make changes to this bug.