Friday, November 13, 2015

Stored XSS in Slack via emoji (Bug Bounty)

I have found ANOTHER cross site scripting in Slack. This time, a Stored one, the most dangerous of all XSS... Anyway, The payload I used is very unique, the XSS has to be popped up thru an emoji. The Slack security team fixed this pretty fast since the XSS is a Stored one. This was my third bug from Slack.. and I immediately rose to Top 26 in their thanks page ( For more details regarding my report, just visit this link:

Image POC:




No comments:

Post a Comment