Error message text in GET parameters

I work with an organization whose software gives an error message in the GET parameters (http://example.com/error?This+is+an+error). Now I played around with changing the text and it displays the new text fine. It also does seem to notice when I try and encode html and gives a 403 error. While I don’t know much about hacking I have the impression that this could be a huge vector for XXS attack. Does anyone have any suggestions on how I can show this problem to them safely or is this really not the big deal that I think it might be?

submitted by /u/Mitb
[link] [comments]

from hacking: security in practice https://ift.tt/mtyBR85

Comments