by UN.i1-PHI on September 17th, 2017

    but talking bout hidden acceSS.. btw Quinton kudos for your improved site but i still think i have to notify you that even though it seems almost as if you can't perform Cross Site Scripting because of the HTML filter but i tried a couple of escaping things and the last of the first ones worked so you've missed atleast one workaround that has to do with encoded escaping so you should do an bugfix for this stored xss vurnerability (classified Type-I XSS) , i do not seek to exploit or use this at all but just as a warning i want to let you see that it's very possible and except for a little discouragement due to the Filtered HTML (or rather a challendge to seek alternative methods) , as far as security is concerned, you're back to where you had no Filtered HTML option so i hope you are glad i'm not someone that wears a black hat that would take advantage of the possibility against the community/users/website/owner such as a hungry cookie monster or an evil monitor lizard ;)

    hello hack the world here with this snippet you can temporarily change the usernames on this page cause it loaded my test script (only in your current browser page it's not permanent as it's not has anything to do with mutating SQL injections operating on the db although i haven't dare to test/tried any of those on TC ofcourse but this harmless demo should show that i can get to the parent document from within an embedded iframe and change any element's content or anything client side via javascript on any user that loads the page so that's a bit risky dont you think...)

     Filed under: Site News & Feedback


    You must be logged in to comment

    Site Statistics