Project Information
- Repository: https://github.com/JefPatat/SteemMakers
- Project Name: https://www.steemmakers.com
- Publisher (if applicable):
Expected behavior
Defending the Cross Site Scripting (XSS) Attack
Actual behavior
SteemMakers is vulnerable to Cross Site Scripting (XSS) attacks.
How to reproduce
I checked Cross site scripting (CSS-XSS) vulnerability on SteemMakers. One of these experiments reflected a cookie on the screen. It is not good that such important vulnerability was present on SteemMakers.
Cross site scripting (CSS-XSS) is a high priority vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. XSS – CSS , takes part at OWASP PHP security vulnerability TOP 5 list. SteemMakers is vulnerable to Cross Site Scripting injection vulnerability. Malicious users may gather data with use this vulnerability. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to gather data from them.
- You can reflect the XSS cookie to the screen using the following code:
https://www.steemmakers.com/?limit='"()<ScRiPt >alert('!!! XSS Vulnerability Found by emirfirlar !!!')</ScRiPt>
- Browser/App version: Firefox Quantum 60.0.1 (32-bit)
- Operating system: Windows 7 professional SP1 (32 bit) Intel Core 2 Duo 2.13 Ghz , 4 gb RAM
Recording Of The Bug
- You can see the XSS Cookie Gif's below:
- You can see the XSS Cookie in the video in detail below:
- You can see the Xss detail in source below
GitHub Account
https://github.com/emirfirlar
https://github.com/JefPatat/SteemMakers/issues/9