---
title: "The \"Quiz Your Friends\" XSS Exploit"
layout: post
---
## TODO write intro
## How I Found This Exploit
While filling in one of my friend's surveys I thought it would be
funny for them to know it is me without anyone else knowing.
We were young and had `Inspect Element`ed a few things together,
so it was a safe bet that an HTML joke would let them know.
I decided to write my name like so: `Steve`.
Steve is in reference to the [main character](https://minecraft.gamepedia.com/Player) in the video game Minecraft.
Now in theory this should have shown in in the leaderboard as: "<b>Steve</b>"
However, to my horror and excitement, I saw this in the leaderboard:
The text "Steve" showed up **in bold** on the leaderboard.
This told me all I needed to know.
How did this happen? You might wonder.
### Server-Side Validation
Here is a great demonstration why you should do most of your validation on the server side.
As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
Quiz your friends uses the `maxlength=20` HTML attribute on the name input field.
Imagine trying to fit in a script tag doing anything useful with 20 characters! Don't forget that includes the `