It's funny that I accidentally find this security bug in my app, PentestSuite. In fact I don't have any experience on this, like the app is developed all by me, and the security bug is also found by me by accident when I am just using it as if it is developed by others.
Though I am not planning to fix this bug for now, I am still considering fixing this bug or not. Since if I have to fix this bug, then the community version will not be able to use the console from Internal browser. And I don't want to block this feature.
So here's how you can bypass the check from Internal browser. Though I have blocked search bar for community version of PentestSuite. Have you noticed that javascript can change the location of the browser by directly using:
location = '<ANY URL>'
So the trick is directly use the console and input this line of code will help you bypass this restriction.
So I also want to share what I am feeling about this.
It's pretty funny to know this. I realized that I was pretty concentrated on building and making sure that every functions was working pretty fine in any situations. I am feeling like I am a little shortsighted during building the app, which will trigger security bugs appear. I want to say...
Just keep fighting bug bounty hunters, I am pretty sure that many other situations will be like this one.
Comments
Post a Comment