Freelancer.com Stored XSS

On the 8th of August 2013, I reported a persistent cross site scripting vulnerability on freelancer.com
The bug is located in the picture upload function of the site. Attackers can basically create an image file with the attacking vectors. For eg, renaming a normal png file to <img src=”” onerror=”javascript:alert(1)”>.png and just uploading it to the site. The site will echo out the name of the image, thus javascript will be executed.

The bug was fixed on 27/08/2013

Freelancer.com Bug bounty program includes:
1) A freelancer.com t-shirt.
2) Listed on the site Hall of Fame. – http://www.freelancer.com/info/security-hall-of-fame.php
3) A whitehat hacker badge for your freelancer’s profile. -http://www.freelancer.com/u/wuming69.html

Freelancer.com Global Rank: 534

IMG_0985

freelancerbadge

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s