You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I am Farhan, a professional cyber security researcher & penetration tester from Pakistan. I was reviewing the code of the transfer.sh and I found that it is possible to achieve Cross Site Scripting (XSS) on transfer.sh.
Steps to Reproduce:
Create a file without any extension, example: "poc"
Add this HTML in this file "<h3 onclick="alert('XSS')">click me</h3>"
Proof Of Concept:
Open the following url and click on the "click me" text and you will see an alert popup, which confirms XSS. https://transfer.sh/inline/OHTwGK/poc
The text was updated successfully, but these errors were encountered:
Hi,
I am Farhan, a professional cyber security researcher & penetration tester from Pakistan. I was reviewing the code of the transfer.sh and I found that it is possible to achieve Cross Site Scripting (XSS) on transfer.sh.
Steps to Reproduce:
<h3 onclick="alert('XSS')">click me</h3>
"How to Fix it:
In the file /server/handlers.go find this code: line # 1035:
https://github.com/dutchcoders/transfer.sh/blob/main/server/handlers.go#L1035
Replace this code with the following to add proper content type:
Proof Of Concept:
Open the following url and click on the "click me" text and you will see an alert popup, which confirms XSS.
https://transfer.sh/inline/OHTwGK/poc
The text was updated successfully, but these errors were encountered: