Skip to main content

Freelancer.com Stored XSS

On the 8th of August 2013, I reported a persistent cross-site scripting vulnerability on freelancer.com, located in the picture upload function of the website. The bug was fixed on the 27th of August 2013.

Details#

  1. An attacker creates an image and set its file name to an XSS attack vector. For example, <img src="" onerror="javascript:alert(1)">.png.
  2. The attacker uploads the image.
  3. Wherever the image is used, the site will print out the name of the image, which will execute the XSS payload.

Bug Bounty#

Freelancer.com bug bounty program rewards include:

  1. A freelancer.com t-shirt.
  2. Listing on freelancer.com's Hall of Fame. – http://www.freelancer.com/info/security-hall-of-fame.php
  3. A whitehat hacker badge for your freelancer’s profile. - http://www.freelancer.com/u/wuming69.html
freelancer.com shirtfreelancer.com badge
info

Freelancer.com Alexa Global Rank (at the time): 534.