Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

[IRCCloud] History and Another XSS Bug Bounty

published on 2015-10-14 10:50:15 UTC by penturamantis
Content:

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client on every computer I was on (as it’s a web service).

After trying the Beta which was a free option before they publicly released the paid version, I thought I’d try and find some vulnerabilities to report to them – for no other reason than to ensure that the service that I am using can’t be exploited to disclose any of my information or data.

The first issue I identified was that the application has a pastebin feature for when the user pastes a large amount of text, they get the option for uploading to their own proprietary pastebin service.

IRCCloud Pastebin

However, after performing some testing to execute javascript within the resulting pastebin link, it was found that it was possible to insert a new line (\n) and then a Cross Site Scripting payload, which got executed to full pre-authenticated Persistent Cross Site Scripting.

Read the full report on HackerOne.

Article: [IRCCloud] History and Another XSS Bug Bounty - published about 9 years ago.

https://penturalabs.wordpress.com/2015/10/14/irccloud-history-and-another-xss-bug-bounty/   
Published: 2015 10 14 10:50:15
Received: 2021 06 06 09:04:46
Feed: Pentura Labs's Blog
Source: Pentura Labs's Blog
Category: Cyber Security
Topic: Cyber Security
Views: 1

Custom HTML Block

Click to Open Code Editor