Dragons Kingdom Script v1.0
Homepage:
http://www.dkscript.com/
Affected files:
*Sending mail:
*Character Profiles:
XSS vuln with cookie disclosure when sending in-game mail:
User data isn't sanatized before being generated.
For a PoC send someone a mail that says:
<IMG SRC=javascript:alert('XSS')>
Screenshots:
http://www.youfucktard.com/xsp/dragking1.jpg
http://www.youfucktard.com/xsp/dragking2.jpg
XSS vulns with cookie disclosure in character profiles:
The form for editing your player profile can be spoofed to increase the maxchar limit to create our xss example.
Vulnerable profile input boxes:
XSS vuln when posting in the forum or replying:
User data isn't sanatized before being generated.
For a PoC put the code below as your forum topic or msg:
<IMG SRC=javascript:alert('XSS')>
Also works when replying to msgs.
PoC screenshots:
http://www.youfucktard.com/xsp/dragking6.jpg
http://www.youfucktard.com/xsp/dragking7.jpg
Gambling Den bet bypass:
It seems if you don't like your first card you got, you can refresh the screen and another random card will appear on screen. This makes it very easy to guess & cheat at this game.
Exploring bypass:
If you just want to power level and don't want to wait for the compass to load you can use the link below. You'll stay on the same tile, but fatique will increase like you're moving, and mobs will attack you.