@SwiftOnSecurity this could be fixed with csp right?
-
-
-
Not if you can insert the XSS into the profile. CSP doesn't protect against that
-
csp can prevent external inline iframes or scripts from being loaded, which is precisely what this exploit is abusing
-
So write your payload directly into the profile.
-
What he's saying is that you can prevent inline JS from being run and only allow external files from approved URLs
-
Right, what I'm saying is that XSS means the payload executes in the same origin, which I don't think CSP can block.
-
So if you write all the Javascript you want to execute into the guide, it needs not use external origins
- 1 more reply
New conversation -
-
-
Is it wormeable?
-
I would guess so. The CSRF token is consistent across all pages.
-
"Gaben is my hero"
-
The Sammy would on MySpace was the beat
End of conversation
New conversation -
-
-
I tried telling
@Steam_Support@steam_games about this years ago. I was ignored. -
From what I read that one was fixed years ago and this is a new one o:
-
I've reported tons of XSS vulns to steam. They were all ignored until exploited
End of conversation
New conversation -
-
-
is that usable only in showcases?
-
I cannot reproduce in profile description
-
You have to write a Guide and showcase it.pic.twitter.com/Sqj9sg143s
-
howto showcase it ? Level needed ?
-
Yes, you need level 10.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.