Create a gist now

Instantly share code, notes, and snippets.

@homakov /f.rb
Last active Aug 29, 2015

# Try to get persistent XSS on https://clientsit.herokuapp.com/
# 1. The user loads the /xss link you crafted
# 2. The user closes the tab and opens any other page
# 3. The user sees an alert.
# PS. not ruby specific. For Chrome.
get '/jsonp' do
response.headers['content-type'] = 'text/javascript'
"#{params[:callback]}(0)"
end
get '/xss' do
response.headers['x-xss-protection'] = '0;'
"<html><body>Hello, #{params[:user]}</body></html>"
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment