IMVU Cross site scripting. 2 posts

OP Tue Sep 04, 2018 5:21 am
User avatar
  • Posts: 7
  • Joined: Jul, 2018
  • Karma: 0
i dunno if you guys realize this but imvu website is vulnerable via Cross site scripting attack i haven't tried SQL injection but holy shit this website is so poorly protected,

if you go on the website where it says edit javascript/html you can run scripts that actually work, this is fucked cause you can steal cookies.. you can test this buy posting a basic HTML script in the box

<script>alert("hehexd")</script> it actually runs the pop up but closes out theres like some protection against that but a well made script can be executed to steal cookies or maybe password hashes but dont really know how imvu stores it but if it has a shitty password encryption im sure you can break that, im sure imvu invests no time actually encrypting good methods but LOL if they store it in plain text xD. god bless this website it feels like it hasn't been updated since the start. just been playing around with this but im not sure how far you could go with this.. but allowing users to run their own scripts god bless xD.

-- Tue Sep 04, 2018 5:21 am --

i dont really know javascript but im sure a person that knows it can write some pretty malicious code within that page.
Tue Sep 04, 2018 5:34 am
User avatar
Pimp
Inner Family Member
  • Gender: Male
  • Posts: 298
  • Joined: Aug, 2018
  • Advertisements: 5
  • Karma: 20
iridelola wrote:
i dunno if you guys realize this but imvu website is vulnerable via Cross site scripting attack i haven't tried SQL injection but holy shit this website is so poorly protected,if you go on the website where it says edit javascript/html you can run scripts that actually work, this is fucked cause you can steal cookies.. you can test this buy posting a basic HTML script in the boxalert("hehexd")it actually runs the pop up but closes out theres like some protection against that but a well made script can be executed to steal cookies or maybe password hashes but dont really know how imvu stores it but if it has a shitty password encryption im sure you can break that, im sure imvu invests no time actually encrypting good methods but LOL if they store it in plain text . god bless this website it feels like it hasn't been updated since the start. just been playing around with this but im not sure how far you could go with this.. but allowing users to run their own scripts god bless .-- Tue Sep 04, 2018 5:21 am --i dont really know javascript but im sure a person that knows it can write some pretty malicious code within that page.


yea many are aware of this and so is imvu inc. imvu offers users to input htm/css/js into these text boxes, for customization of homepages witch others can come and view..

Create an account or sign in to comment

You need to be a member in order to leave a comment

Sign in

Already have an account? Sign in here

SIGN IN NOW

Create an account

Sign up for a new account in our community. It's easy!

REGISTER A NEW ACCOUNT