search

bugy / script-server

Web UI for your scripts with execution management
Other
1.59k stars 247 forks source link

fix: XSS attack via next login parameter. #730

Closed yog27ray closed 8 months ago

yog27ray commented 8 months ago

Vulnerable Parameter: ?next=

Payload Used: javascript:prompt(document.domain);//

Steps to Reproduce the Bug:

  1. Visit http://server.url/login.html?next=javascript:prompt(document.domain);//
  2. Click on the "Sign in with Google" button.
  3. Login into your Account.
  4. XSS will be triggered.