The 29min Exploit. [Edited]
Click this button to donate 100 satoshi for my security research.
Until a while ago, this button was working.
You'd tip me 100 satoshi, directly from my post, without XSS.
This is one of the more interesting bugs I found and reported to ZapRead, because it involves money!
Many bugs have been fixed by Zelgada, props.
Some are still open, some of them are public.
I decided to share this one, because it's a funny combination of:
1. A CSRF to Tip Money
2. Very lax XSS sanitizer rules
3. A JSON endpoint accepting x-www-form-urlencoded
To be clear, you could have exploited this csrf alone.
But I thought it was cool to do it inside the zapread UI.
I could have used an iframe, yes, but I guess then Zelgada wouldn't be so cool about this.
I think I gave Zelgada enough time and just wanted to drop a cool bug !
Read more below.
Have fun reverse engineering this while it's vulnerable! Edit: It was fixed in 29 min.
Results: 1 "hacked" donation + bounty from Zelgada. Thanks for not calling your lawyer Zelgada ;)