Friday, November 13, 2015

Stored XSS in Slack via emoji (Bug Bounty)

I have found ANOTHER cross site scripting in Slack. This time, a Stored one, the most dangerous of all XSS... Anyway, The payload I used is very unique, the XSS has to be popped up thru an emoji. The Slack security team fixed this pretty fast since the XSS is a Stored one. This was my third bug from Slack.. and I immediately rose to Top 26 in their thanks page (https://hackerone.com/slack/thanks/). For more details regarding my report, just visit this link: https://hackerone.com/reports/96337


Image POC:

      






Reward:

$500

No comments:

Post a Comment