Lucene search

HistorySep 29, 2017 - 2:33 p.m.

Rockstar Games: Stored XSS via Send crew invite


In this report, the researcher was able to demonstrate a vulnerability in our Crew Invite mechanism that could have allowed an attacker to carry out a Stored XSS attack. By modifying a request in-flight and injecting unexpected characters in the Invitation message body, it was possible to escape our filters and perform the attack. To fix this, we have updated our anti-XSS efforts site-wide, and additionally ensured that we are filtering and escaping control characters and other unexpected characters on this endpoint.