Published on April 19th, 2019 📆 | 6794 Views ⚑0
Bug Bounty Alibaba : Self (XSS) Vulnerability
Report & Participant : Andri Wahyudi
Website : http://alibaba.com/
Status : Patched
Type : Self (XSS)
The attacker can access the victim’s cookies associated with the website using document.domain, send them to his own server, and use them to hijack the session of target user. An attacker can also register a keyboard event listener using addEventListener and then send all of the user’s keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.