.png)
2 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
I was reviewing my old reports on intigriti and I found one of my favourite bugs, It is an XSS with a beautiful exploitation on a private program.
Before explaining the bug, I always explain the application functionalities and the bug context.
This application allows users to create dashboards with images, data, or graphics and you can create custom css.
You can create special access tokens for each dashboard, each one with different permissions, expire times… For Example:
TokenA = xxxxxxxxxxxxxx (Only view on Dashboard1)TokenB = xxxxxxxxxxxxxx (Edit Dashboard2)That token was used on the URL to share the dashboard with anyone.
URL to share → /dashboard1?token=xxxxxxxxxxxxxxx-> This allows anyone to view the dashboard
The interesting part of this functionality is that when the token expiries, the javascript code of the dashboard will redirect the user to a URL previously specified by the dashboard owner.
Bengali (Bangladesh) · 
English (United States) ·