<?xml version="1.0" encoding="utf-8"?><feedxmlns="http://www.w3.org/2005/Atom"><generatoruri="https://jekyllrb.com/"version="4.1.1">Jekyll</generator><linkhref="/feed.xml"rel="self"type="application/atom+xml"/><linkhref="/"rel="alternate"type="text/html"/><updated>2021-04-04T15:27:34-06:00</updated><id>/feed.xml</id><entry><titletype="html">The “Quiz Your Friends” XSS Exploit</title><linkhref="/2021/04/04/quiz-your-friends-xss/"rel="alternate"type="text/html"title="The “Quiz Your Friends” XSS Exploit"/><published>2021-04-04T00:00:00-06:00</published><updated>2021-04-04T00:00:00-06:00</updated><id>/2021/04/04/quiz-your-friends-xss</id><contenttype="html"xml:base="/2021/04/04/quiz-your-friends-xss/"><p>Note: I have alerted the administrators of this site multiple times about this vulnerability. One email was sent many years ago, which is more than enough time for <a href="https://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>.</p><h2 id="background">Background</h2><p>In early 2014, when my “programming” skills consisted of editing web pages with inspect element, I was sent a link from an old friend in a town about 3 hours away. This was a link to a quiz about them. I had to answer as many questions right as I could about them and I got a score at the end based on my answers. It seemed fun enough, so I went for it. In the following weeks this quiz website became quite a trend amongst my friend group as we all started making quizes to see how well we all knew eachother.</p><p>A few weeks into this trend, I was staying at a friends’ place and told him about this site, so he goes and creates his own quiz and sends it to all his friends, group chats, Google Plus groups, et cetera.</p><h2 id="hackerman">Hackerman</h2><p>While filling in my friend’s survey I thought it would be funny for them to know it is me without anyone else knowing. We were young and had <code class="language-plaintext highlighter-rouge">Inspect Element</code>ed a few things together, so it was a safe bet that an HTML joke would let them know.</p><p>I decided to write my name like so: <code class="language-plaintext highlighter-rouge">&lt;b&gt;Steve&lt;/b&gt;</code>. Steve is in reference to the <a href="https://minecraft.gamepedia.com/Player">main character</a> in the video game Minecraft.</p><figure><img src="/assets/img/qyf-xss/2-bold.png" /><figcaption><p>Me typing in my name as <span class="mono">&lt;b&gt;Steve&lt;/b&gt;</span>.</p></figcaption></figure><p>Now in theory this should have shown in in the leaderboard as: “&lt;b&gt;Steve&lt;/b&gt;” However, to my horror and excitement, I saw this in the leaderboard:</p><figure><img src="/assets/img/qyf-xss/3-steve-board.png" /><figcaption><p><span class="mono">&lt;b&gt;Steve&lt;/b&gt;</span> displaying in the leaderboard as bold text: <b>Steve</b></p></figcaption></figure><p>The text “Steve” showed up <strong>in bold</strong> on the leaderboard. This told me all I needed to know. How did this happen? You might wonder.</p><h3 id="server-side-validation">Server-Side Validation</h3><p>Here is a great demonstration why you should do most of your validation on the server side. As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.</p><p>Quiz your friends uses the <code class="language-plaintext highlighter-rouge">maxlength=20</code> HTML attribute on the name input field. Imagine trying to fit in a script tag doing anything useful with 20 characters! Don’t forget that includes the <code
