7
Conrad
4y

Oh look, I found a mime-type.net/scam/webpage/

And no, they don't have any XSS protection

Comments
  • 3
    The exact part in your screenshot actually is a tiny little bit protected, however inadvertedly; it only injects the URI until the penultimate slash, where all other places it's used injects the entire URI, only stripping the last slash and capitalising the first letter after the penultimate slash...
  • 4
    Oh yeah, and something like the below will get run just fine a total of 12 times while breaking the <head> because it's injected there as well:
    http://www.mime-type.net/mime<script>alert("Booh!")</script>type/
Add Comment