|
|
|
|
|
|
by chatmasta
976 days ago
|
|
|
You're welcome. :D The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines. But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process. |
|
|
TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.