AN UNEXPECTED MORNING SURPRISE: FIXING AN XSS VULNERABILITY ON CHRISHAMMOND.COM

By
AN UNEXPECTED MORNING SURPRISE: FIXING AN XSS VULNERABILITY ON CHRISHAMMOND.COM

This morning, I received a notification from OpenBugBounty.org that an XSS vulnerability had been found on ChrisHammond.com. The email included a link to a bug bounty report but lacked specific details about the issue.

I quickly set up an account on OpenBugBounty.org and attempted to claim the domain to gain more information. Upon successfully doing so, I was provided with the display name of the researcher who reported the issue. I reached out to them via email, albeit cautiously, as I was unsure if it might be a phishing attempt.

To my relief, the researcher responded within a few hours with additional details about their findings. The vulnerability was traced back to a recent update I made to the Engage Publish module. For several years, I had disabled tags across the site due to performance issues. Recently, in an effort to improve SEO, I re-enabled tags and set the incoming tags to display on the tag listing page. Unfortunately, I didn't properly scrub the input before displaying it, allowing XSS to be injected directly into the page.

The researcher's email included the following:

I AM Mr. PINKY PRAJAPATI, a white-hat security researcher student who found a Cross-site Scripting (XSS) vulnerability.

The email also provided reproduction steps and a screenshot of the issue.

I immediately dove into the Engage Publish source code to address the problem and deployed the fix to the website.

I want to extend my heartfelt thanks to Mr. Pinky Prajapati for identifying and reporting the XSS vulnerability. Your diligence and expertise in uncovering this issue are greatly appreciated. The detailed information you provided, including the reproduction steps and screenshot, were invaluable in helping me understand and quickly address the problem. Thanks to your efforts, I was able to promptly fix the vulnerability and secure the website.

Your contribution not only helped improve the security of ChrisHammond.com but also underscored the importance of community-driven efforts in maintaining a safe online environment. I am truly grateful for your assistance and dedication as a white-hat security researcher.

Thank you once again for your support and for helping to keep the web a safer place.

Best regards,
Chris Hammond

Tags:   

Recent Comments

There are currently no comments. Be the first to make a comment.

Add Comment

Please add your comment by filling out the field(s) below. Your comment may need to be approved before it becomes visible.
Enter your first name for display with the comment
Enter your last name for display with the comment.
Enter your comment here.
If you can't type DNNRocks in, you can't post, plain and simple.
Submit Comment Cancel

Chris Hammond

Chris Hammond is a father, husband, leader, software developer, photographer and car guy. Chris focuses on the latest in technology including artificial intelligence (AI) and has spent decades becoming an expert in ASP.NET and DotNetNuke (DNN) development. You will find a variety of posts relating to those topics here on the website. For more information check out the about Chris Hammond page.

Find me on Twitter, GitHub and LinkedIn.