Bug Hunting - Cross Site Scripting (XSS) Vulnerability Found On SteemMakers

in #utopian-io4 years ago

Project Information

Expected behavior

Defending the Cross Site Scripting (XSS) Attack

Actual behavior

SteemMakers is vulnerable to Cross Site Scripting (XSS) attacks.

How to reproduce

   I checked Cross site scripting (CSS-XSS) vulnerability on SteemMakers. One of these experiments reflected a cookie on the screen. It is not good that such important vulnerability was present on SteemMakers.

   Cross site scripting (CSS-XSS) is a high priority vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. XSS – CSS , takes part at OWASP PHP security vulnerability TOP 5 list. SteemMakers is vulnerable to Cross Site Scripting injection vulnerability. Malicious users may gather data with use this vulnerability. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to gather data from them.

  • You can reflect the XSS cookie to the screen using the following code:

https://www.steemmakers.com/?limit='"()<ScRiPt >alert('!!! XSS Vulnerability Found by emirfirlar !!!')</ScRiPt>

  • Browser/App version: Firefox Quantum 60.0.1 (32-bit)
  • Operating system: Windows 7 professional SP1 (32 bit) Intel Core 2 Duo 2.13 Ghz , 4 gb RAM

Recording Of The Bug

  • You can see the XSS Cookie Gif's below:

  • You can see the XSS Cookie in the video in detail below:

  • You can see the Xss detail in source below

Ekran Alıntısı.JPG

GitHub Account

https://github.com/emirfirlar
https://github.com/JefPatat/SteemMakers/issues/9

Sort:  

Hi, thank you for contributing to Steemit!

I upvoted and followed you; follow back and we can help each other succeed :)

P.S.: https://steemit.com/life/@jherry1221/mewkit-new-malware-drains-ethereum-wallets-automatically

Hi , it can be confirmed as an xss , but just a self -xss ,which is caused by not filter some secure factors when get user input .
It seems you quite like doing some research in XSS hacking . Keep going .

To view those questions and the relevant answers related to your post,Click here


Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]

Thank you for informing. Web site safety is important. I think we can help to site owners by reporting security vulnerabilities. This is the best way to block malicious users.

Thanks man. I will look into it!

Thank you @jefpatat If we can block malicious users we will all be safe. Thank you for your interest.

Thank you for your botting
Though l am not good at English,
Iread your essay.
I started to think about the importance of seccurity

I'm glad you like it. thank you

Hey @emirfirlar
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!

Contributing on Utopian
Learn how to contribute on our website or by watching this tutorial on Youtube.

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!

Coin Marketplace

STEEM 0.26
TRX 0.07
JST 0.033
BTC 23156.39
ETH 1705.90
USDT 1.00
SBD 3.26