Exploiting chess.com


Summary of my bookmarked links from Jan 27th, 2024

Links

  • Rook to XSS: How I hacked chess.com with a rookie exploit

    The blog post details a cybersecurity enthusiast's discovery of a cross-site scripting (XSS) vulnerability on Chess.com, the #1 chess site with over 100 million users. The author leveraged their knowledge to manipulate the TinyMCE rich text editor, ultimately achieving full XSS by exploiting the background-image style attribute. The vulnerabilities stem from the site's image re-uploading function and the order of HTML sanitization. The post also highlights the unintended triggering of XSS during communication with the triage team due to version rollback. The author responsibly reported the findings thro