Stored XSS in GameSkinny

After weeks and weeks of e-mailing GameSkinny and tweeting at them to fix their security issues, they decided to not answer me (I think). That is very unfortunate. I also decided to also remove my tweets towards them as well as it didn’t seem to reach out to them.

Today I have decided to release that to the public (full disclosure) as it still works.

Steps to Reproduce the stored XSS:

Go to: http://gameskinny.com and make an account.

Next we visit https://www.gameskinny.com/post/edit to make a thread or article — whichever you prefer to call it.

Now we insert our payload: “><svg/onload=alert(1)> ” and it should look a little something like this:

After that, scroll to the bottom, then click “Save your changes” and click the preview button.

…. We get the famous confirm(1) to popup!

Gif of the POC:

If you wanted to do malicious harm, or grab information that you weren’t suppose to have, then you would use a proper payload. I won’t be sharing that here — SORRY!

You can share your drafts with registered users who will be able to see your article and they would see the XSS — or get executed on. You can also send this in to the Editors by clicking “Send to editors” and executing an XSS script on them, which would hijack their cookies or sessions to do malicious activity.

Once again, this post is NOT meant to do anything harmful to the website. I am just a security researcher who is trying to help secure your website — other websites as well.

I hope http://gameskinny.com does fix this issue in the future (hope very soon) to secure their users information.

If you have any questions or comments, feel free to message me on Twitter @Skeletorkeys

Thanks for reading.