Closed hackerhumble closed 2 years ago
Hi Team,
I have noticed a security issue in the reverse shell generator.
An attacker can trigger the XSS vulnerability is the victim machine using the below payload
https://www.revshells.com/?#ip=%3Cimg%20src=x%20onerror=alert(document.domain)%20/%3E
Ref: https://portswigger.net/web-security/cross-site-scripting/dom-based
Do not trust the user input. HTML escape the user input before rendering in the DOM.
Thanks, SRK.
I appreciate the finding, and great job! You’re welcome to fix it, if you want to contribute. There’s nothing on RevShells to steal, so I can’t foresee XSS being a problem.
Hi Team,
I have noticed a security issue in the reverse shell generator.
Issue Description:
An attacker can trigger the XSS vulnerability is the victim machine using the below payload
https://www.revshells.com/?#ip=%3Cimg%20src=x%20onerror=alert(document.domain)%20/%3E
https://www.revshells.com/?#ip=%3Cimg%20src=x%20onerror=alert(document.domain)%20/%3E
Ref: https://portswigger.net/web-security/cross-site-scripting/dom-based
Remediation:
Do not trust the user input. HTML escape the user input before rendering in the DOM.
Thanks, SRK.