← Back to context

Comment by neogodless

3 years ago

Oof, I clicked one of those posts and immediately lost all back-button functionality to an endless stream of history events.

I tried right clicking to open the link in a new tab, and found I couldn't. What is it with these bespoke browsers written in JavaScript?

Was it the "Daniel's Site" post? There's some weird interactions I'm finding with that iframe'd html upload and the history events.

  • As someone who dealt with payment iframes in SPAs I'm so happy I don't have to use any iframes nowadays. There are a few articles how you can "kind of track" when the iframe caused extra history entries then you need to increase your back navigation by the count of them, it was a mess back in the days so not sure how is it solved nowadays.

    • Today you can still use iframes but most gateways now provide a tokenization api that provides the form to produce the tokenized cc. Afaik tokenized cc isn't falling under PCI.

      My big issues with iframes is the checkout process which inevitably has to make callbacks to your api with the results of the transaction. If you're behind any sort of firewall (like most businesses are) you're in for a world of http pain.

      4 replies →

Also, when I visit the #all page I get two weird window.alert()’s, first says 5, second says 1. I’m on mobile Safari now so can’t really investigate, but is the site getting script injected??

  • Yes, the site is vulnerable to XSS, couple of interesting payloads on there so far

    The current top post uses this XSS to have users upvote it:

    <img src="a" onerror="soci.postData(String.fromCharCode(112,111,115,116,116,97,103,47,97,100,100,45,118,111,116,101),{post:String.fromCharCode(120),tag:String.fromCharCode(120)})">

    Which sends a POST request to `posttag/add-vote` for the post labeled `x`

    • I suppose that makes sense if you get payed for upvotes, stored xss is probably just the most low hanging fruit, if they messed that up I'd expect everything from csrf, clickjacking, sqli and more, everyone has the incentive to look and exploit. They should probably get a thorough white box review.