OkCupid: XSS in 404 page of cdn.okccdn.com

ID H1:3317
Type hackerone
Reporter kenb
Modified 2014-08-22T19:00:15


The Server does not cleanse the URL data that is sent to it when it gets reported in the 404 page of the error message stating the URL does not exist. it is therefore possible to send javascript in the URL bar and have it execute in the browser. Please see attached screen shots...

Server: cdn.okccdn.com