XSS vulnerability on the site Futurico.ru

    I found a semi-active XSS vulnerability on the site Futurico.ru.
    It's simple: enter a message on the site (a small phrase).
    image

    Then we find out the message id - we capture the POST parameters during loading:
    image
    Now just pass the futurico.ru/map/getPointInfo.php?point= **** POST parameter using the GET method and see our message:
    image
    There is no filtering.
    At the moment, the developers have partially disabled the "small phrases", but you can still write messages and access them via id.
    More information can be found here.

    Also popular now: