Hacker News new | ask | show | jobs
by 28uwedj 1665 days ago
DO NOT USE THIS SITE:

1. Create Note with the contents <script>alert(1);</script>

2. Go to link

3. this site is a massive security flaw.
4 comments
gigamick 1665 days ago
This is exactly why I posted here. Thank you so much for this feedback. Will fix and let you know.
link
teitoklien 1664 days ago
Your laravel php framework debug messages are being exposed to users.

Cool site tho, Have a lovely week.

link
gigamick 1664 days ago
This issue now resolved.
link
svenfaw 1665 days ago
To clarify, why is being able to display an alert a massive security flaw in this context?
link
retube 1665 days ago
The alert itself is harmless, but demonstrates that arbitrary javascript - which could certainly not be harmless - can be injected into the page.
link
mynameismon 1665 days ago
It's not the ability to display alerts that is concerning, but rather, the ability to run untrusted Javascript. This was a proof of concept that showed that it has a serious XSS vulnerability
link
seedie 1665 days ago
For detailed information on what XSS is, how it can be exploited and prevented have a look at the OWASP XSS description

https://owasp.org/www-community/attacks/xss

link
gigamick 1665 days ago
This is now resolved. Thanks for the feedback!
link
gigamick 1664 days ago
ISSUE RESOLVED
link