50
Skayo
7y

If found a Website with a nice Guestbook. Funny thing: HTML-Code and JavaScript-Code in the message was not getting escaped. So I wrote a little JS-Script wich alerts “Nope“ and the then redirects to pornhub.com after page load.

After about 2 WEEKS of funny redirecting, they updated their site and HTML-Code is now getting escaped.

Comments
  • 4
    You should've gotten payment for that!
  • 3
    Btw...How did you find out that the guestbook didn't escape characters?
  • 0
    @samwir I tested it
  • 3
    I did basically the same with a teacher's site, but the difference is that nobody looks at it at all, Copyright is 2008-2009.
  • 2
    How did you get your script to run on their live server for every user who reaches the site?
  • 1
    Following
  • 5
    +1 for saying guestbook. Haven't heard that term since Geocities was the hot potato
  • 8
    @code The guestbook with my evil message is public. When anybody goes to the site, the message with the script is loaded and then, the script executes.
    Understand? 😕
  • 1
    @Skayo oh lol that's brilliant
    Not sure why but I imagined a wordpress blog kinda thing which was just created by site admin
  • 1
    @code it's called cross site scripting (XSS), in this case it's the stored XSS type. So that script is stored within the DB and as @Skayo explained, it loads whenever someone opens the site
Add Comment