DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off

2022-02-02 10:15

There is a live cross-site scripting vulnerability in takedowns website DMCA-dot-com's user interface.

Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

"I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS. DMCA-dot-com is a copyright takedown service.

Every single time he clicked to a new webpage in the DMCA-dot-com user area, the classic XSS tell-tale - a popup with a custom message - appeared.

As explained by MITRE, the flaw typically exists because free text entry forms don't sanitise user inputs.

Immersive Labs' app security specialist Sean Wright added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/02/dmca_com_live_xss_flaw/

#dmca #XSS