.png)
1 day ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey there! So, I’ve been working on my personal website (yep, still in the “trying to figure it out” phase). To be honest, I’m pretty much a noob at web development, which is why I’ve been asking my trusty LLM for a lot of help lately. Anyway, while messing around with HTML tags, I stumbled upon an interesting behavior on www.blackbox.ai. The site rendered the <svg> tag when I provided it as input. Curious, I tried experimenting with other tags, but none of them worked. Since the <svg> tag was being rendered correctly, I thought, "Let me see if I can execute some JavaScript inside it"—and to my surprise, it worked!
This led me to discovering a reflective XSS vulnerability, where I was able to inject a script and perform a redirection. Here’s the payload I used
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500"><script>window.location='https://github.com/Debang5hu'</script>
</svg>
While the exploit didn’t have any severe consequences, it was still a valid security concern. After finding the bug, I promptly reported it to the site’s team.
However, despite my efforts, I didn’t receive any acknowledgment or response from them. After a few days, I noticed that the issue had been patched. I realized this when I tried my old payload again, and it no longer worked.
While I’m glad the issue was fixed, it’s disheartening not to receive any appreciation for the work done. All of this led to a negative impact, and yes, I’m disappointed. But, I choose to focus on the fact that the vulnerability was addressed and the system became more secure, which is what matters in the end.
Sayonara :)
Bengali (Bangladesh) · 
English (United States) ·