The principle of domino or XSS on large sites runet
On the registration page of the new Mail.ru account, the 'Name' and 'Last Name' fields were not filtered, as a result of which it was possible to insert scripts and register the user whose name was the script (up to 80 characters). At Mail.ru itself, this vulnerability was not reflected in any way, but manifested itself on those sites that used authorization through Mail.ru, and on those sites that used authorization of sites that used authorization through Mail.ru :)
So it was before fixing the vulnerability:
So after:
And so on time (for a comfortable viewing set 1080p):
')
So it goes.
It seems that at the time of writing this post, Mail.ru has already fixed this bug.
My previous post on XSS
UPD: Received a letter from the caliper. Vulnerability closed, thanked.
So it was before fixing the vulnerability:
So after:
And so on time (for a comfortable viewing set 1080p):
')
So it goes.
It seems that at the time of writing this post, Mail.ru has already fixed this bug.
My previous post on XSS
UPD: Received a letter from the caliper. Vulnerability closed, thanked.
Source: https://habr.com/ru/post/136736/
All Articles