Create a gist now

Instantly share code, notes, and snippets.

@homakov /f.rb
Last active Sep 1, 2017

# Try to get persistent XSS on
# 1. The user loads the /xss link you crafted
# 2. The user closes the tab and opens any other page
# 3. The user sees an alert.
# PS. not ruby specific. For Chrome.
get '/jsonp' do
response.headers['content-type'] = 'text/javascript'
get '/xss' do
response.headers['x-xss-protection'] = '0;'
"<html><body>Hello, #{params[:user]}</body></html>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment