Twitter: Twitter Card - Parent Window Redirection

2015-02-05T22:56:25
ID H1:46818
Type hackerone
Reporter batuhan
Modified 2015-05-04T22:54:25

Description

Hi, I was trying to find XSS on another website and I finally did.

After that I tried share this url on Twitter to show website owner, and noticed that I can run javascript on that iframe.

Javascript that I used on Twitter Card :

<script>top.window.location.href="https://google.com.tr"</script>

You can watch PoC