Lucene search

K
hackeroneFa1rlightH1:272997
HistorySep 29, 2017 - 2:33 p.m.

Rockstar Games: Stored XSS via Send crew invite

2017-09-2914:33:29
fa1rlight
hackerone.com
4

In this report, the researcher was able to demonstrate a vulnerability in our Crew Invite mechanism that could have allowed an attacker to carry out a Stored XSS attack. By modifying a request in-flight and injecting unexpected characters in the Invitation message body, it was possible to escape our filters and perform the attack. To fix this, we have updated our anti-XSS efforts site-wide, and additionally ensured that we are filtering and escaping control characters and other unexpected characters on this endpoint.