XSS using meta Tags
I was invited by a friend to join a Social platform that helps people to earn money by liking, sharing, updating posts.
As a Pentester, i thought let’s try to find some vulnerabilities. I found many vulnerabilities (mentioned in the last of article).
And one of vulnerability i found was XSS, so the site was using a Webscapper that grabes a site meta tags information
I Created a File on another Server.
and inserted a meta tag containing a red color font tag
and then tested , and yeah it worked. lets try some JavaScript using HTML Event Attributes
but it didn’t pop up, i want immediate response so i tried with og:image
and yeah worked
i reported them and they thanked me and also promised me to reward something and may he they hire me. It’s been 1–2 months i didn’t get reply back.
i reported the following vulnerabilities too.
- IDOR (sending messages to anyone from anyone)
- 3–5 XSSes (2 stored)
- Open S3 bucket
- Earn Money using a Bot script ( due to absence of CSRF token )
- CSRF in every field
- HTML injection that ruins the messages page
- Admin Panel Access(mini)
- Old versiob of Wordpress detected having many Vulnerabilities
- and some more vulnerabilities
If you like this article Please clap :D
