Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why would YOU see a mystery XSS exploit on a social network? The idea of the DoD scoring these little exploits in a box is usually to deploy in a highly controlled and specific manner. You as a layperson is of no interest to them unless you are some kind of intelligence asset or foreign adversary




Wouldn't platforms see the supposed XSS payloads in their logs and publish analyses of them, or at the very least, announce that they happened?

reply


Seems like none of these major websites detected anything, and they are supposed to be top-notch in the world.

It's only because the researcher contacted them.

reply


Also because nobody actively exploited them! You're using the word "detected" to mean "discovered", which nobody working in the field would ever do.

reply


detected: WAF caught or detected the attack and raised an alert, post-exploitation

discovered: they audited or pentested themself and found out, preemptively

I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: