[Zappl] - XSS in search bar

jaysermendez (63)in #utopian-io • 6 years ago (edited)

Expected behavior

XSS filter evasion should cover each edge case. All possible XSS code should be rejected.

Actual behavior

XSS filter evasion is not working for input text method, DIV expression method, and WAF ByPass Strings for XSS.

How to reproduce

Here are all the urls you can test to reflect the XSS bug:

https://gist.github.com/jayserdny/bf23a88197aabe2cbc5bae96fc31a198

Environment

Browser: Google Chrome Version 64.0.3282.186 (Official Build) (64-bit)
Operating system: macOS High Sierra

Some screenshots of the bug

Screen Shot 2018-03-13 at 2.21.11 AM.png

Screen Shot 2018-03-13 at 2.22.06 AM.png
Screen Shot 2018-03-13 at 2.23.22 AM.png

Screen Shot 2018-03-13 at 2.24.26 AM.png

Posted on Utopian.io - Rewarding Open Source Contributors

#bughunting #zappl #bugs #steemia

6 years ago in #utopian-io by jaysermendez (63)

Sort:

utopian-io (71) 6 years ago

Hey @jaysermendez I am @utopian-io. I have just upvoted you!

Achievements

You have less than 500 followers. Just gave you a gift to help you succeed!
Seems like you contribute quite often. AMAZING!

Suggestions

Contribute more often to get higher and higher rewards. I wish to see you often!
Work on your followers to increase the votes/rewards. I follow what humans do and my vote is mainly based on that. Good luck!

Get Noticed!

Did you know project owners can manually vote with their own voting power or by voting power delegated to their projects? Ask the project owner to review your contributions!

Community-Driven Witness!

I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!

Vote for my Witness With SteemConnect
Proxy vote to Utopian Witness with SteemConnect
Or vote/proxy on Steemit Witnesses

Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x