Bug Hunting - Cross Site Scripting (XSS) Vulnerability Found On SteemMakers

Project Information

 

• Repository: https://github.com/JefPatat/SteemMakers
• Project Name: https://www.steemmakers.com
• Publisher (if applicable): @steemmakers

 

Expected behavior

 

Defending the Cross Site Scripting (XSS) Attack

 

Actual behavior

 

SteemMakers is vulnerable to Cross Site Scripting (XSS) attacks.

 

How to reproduce

 

   I checked Cross site scripting (CSS-XSS) vulnerability on SteemMakers. One of these experiments reflected a cookie on the screen. It is not good that such important vulnerability was present on SteemMakers.

   Cross site scripting (CSS-XSS) is a high priority vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. XSS – CSS , takes part at OWASP PHP security vulnerability TOP 5 list. SteemMakers is vulnerable to Cross Site Scripting injection vulnerability. Malicious users may gather data with use this vulnerability. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to gather data from them.

 

• You can reflect the XSS cookie to the screen using the following code:

https://www.steemmakers.com/?limit='"()<ScRiPt >alert('!!! XSS Vulnerability Found by emirfirlar !!!')</ScRiPt>

 

• Browser/App version: Firefox Quantum 60.0.1 (32-bit)
• Operating system: Windows 7 professional SP1 (32 bit) Intel Core 2 Duo 2.13 Ghz , 4 gb RAM

 

Recording Of The Bug

 

• You can see the XSS Cookie Gif's below:

 

 

• You can see the XSS Cookie in the video in detail below:

 

 

• You can see the Xss detail in source below

 

 

GitHub Account

https://github.com/emirfirlar
https://github.com/JefPatat/SteemMakers/issues/9