rw-book-cover

Highlights

  • Let’s see what happens when I insert a link for the image. Is the URL embedded directly, or will there be some safe handling to protect against request forgeries? (View Highlight)
  • Chess.com handles this server-side by re-uploading the image to their content hosting server and then pointing the image URL to that. (View Highlight)
  • using a link whose root domain is chess.com (View Highlight)
  • I switched to my alt account, navigated to my main account’s profile and then checked my alt’s friend list - it had successfully added my main account. (View Highlight)
  • Damn, brackets are filtered….this means that I wouldn’t be able to call any functions with any parameters. (View Highlight)
  • Even worse, practically every useful symbol is filtered – ,’ ^&[]’$% (View Highlight)
  • Rich text editors are a gold mine for achieving XSS because they allow different HTML elements for a more stylish appearance. (View Highlight)
  • Instead of accepting input and treating it only as text, it has to get raw HTML and directly embed it (View Highlight)