一位研究人员在测试一个教育类网页应用时,尝试通过注入HTML代码检测XSS漏洞。尽管输入了恶意链接payload,但页面未执行任何恶意操作。进一步查看页面源码后发现,用户输入已被转义处理,未形成实际威胁。 2025-7-29 07:35:27 Author: infosecwriteups.com(查看原文) 阅读量:17 收藏
जय श्री राम 🚩
For Non-Members : FREE LINK
At the start of July , I found myself randomly poking around one of the Old Public Bug Bounty programs listed on Bugcrowd.
The target platform — let’s just say, [REDACTED], is a well-known educational web application that allows users to create and share flashcard sets online.
While browsing through the features, I noticed the option to create custom flashcard sets — a feature meant to help students learn and share study material.
Then creating the Flashcard I saw Name Field and some more input fields which of course every Bug Hunter tries HTML Injection or XSS as it’s in there checklist.
I inserted a basic HTML payload (<a href="https://evil.com">CLICK</a>) into the Title/Name field of the flashcard, just to check if any form of HTML Injection or XSS was possible.
Then I copied the URL and pasted it in another browser to check whether the payload executed.
Unfortunately — nothing happened. No redirection. No HTML rendering. Just plain, harmless text.
Then just like a Penetration Tester not one to give up easily, I decided to view the page source to see how the application handles user input under the hood. I searched for my payload in the raw HTML…
如有侵权请联系:admin#unsafe.sh