Cross-domain AJAX request
Unknown
Vulnerability Details
Hi,
Two weeks ago, I found a Cross-domain AJAX request, but due to the fact that you uses a very strict Content Security Policy, I hesitated to send this. Today, I noticed that bug has been fixed. But this fix can be bypassed.
This example not working now (screenshot 1):
https://hackerone.com/bugs?subject=/google.com/
But if will be (screenshot 2):
https://hackerone.com/bugs?subject=/[email protected]/
or https://hackerone.com/bugs?subject=%2Fhackerone.com.google.com
It's will work.
Actions
View on HackerOneReport Stats
- Report ID: 97948
- State: Closed
- Substate: resolved
- Upvotes: 6