Tube8 Reflected XSS Hackerone Discolosure

It was a normal bug hunting day I spent around 10 hours spidering through websites and testing for xss (cross-site-scripting) until I stumbled across an xss vulnerability in one of the most famous porn sites

xss tube8.png

I successfully came up with a proof of concept and sent in a report here is the proof of concept payload.



How this exploit works is the following:

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response. The proof-of-concept attack demonstrated uses the onclick event handler and the accesskey attribute to introduce arbitrary JavaScript into the document. Note that this technique requires the victim to trigger the access key using the key combination ALT+SHIFT+X in Windows/Linux and CTRL+ALT+X on OS X. It is specific to Firefox, and it will not work on other browsers.


Have they fixed the issue?

Well, yes they have fixed the issue otherwise I would not be disclosing it.



Leave a Reply