Reflected Cross Site Scripting on [www.cubers.io](http://www.cubers.io/?fbclid=IwAR18E2CS7eDlc2eg-5dEGpX2TGUjRfhTePQmvTiwfZIGp42A1fRrc7ft1ng)

euphwes / cubers.io

Weekly WCA-style speedcubing competitions with bonus events, and more!

https://www.cubers.io

GNU General Public License v3.0

29 stars 7 forks source link

Reflected Cross Site Scripting on [www.cubers.io](http://www.cubers.io/?fbclid=IwAR18E2CS7eDlc2eg-5dEGpX2TGUjRfhTePQmvTiwfZIGp42A1fRrc7ft1ng) #216

Open Asiador13 opened 7 months ago

Asiador13 commented 7 months ago

I found a reflected XSS on the cubers.io domain. This can steal cookies from other users or perform phishing attacks (not sure if it can take over accounts since you're using OAuth from WCA, but if it is, then the attacker can get the WCA account of the victim). Mitigation/fix: Filter the tags that are being sent using the parameter from /event/{param}, or just show a 404 error. Vulnerable url: https://www.cubers.io/event/{param} Payload: https://www.cubers.io/event//

euphwes commented 7 months ago

Interesting, thanks for bringing this to my attention! I'll look into this and button it up as soon as possible.