Forums > Talk > Technology
The web today is a nightmare
Created by Wirlaburla
New Post
iiyamamonitor
Joined11/15/23
Posts8
Dec 10th, 2023 at 2:58 pm
#2066
late to the forum thread and i have no clue what to discuss but in my opinion the new web is less customizable and i am tired of ads and websites it felt all the same
ReportReply
bonkmaykr
Joined06/30/21
Posts358
Dec 11th, 2023 at 12:19 pm (edited)
#2067
Here's a funny one. You've ever seen a web browser exploit inside of Source?

Eversince the Panorama UI update to CS:GO in 2018, around the same time Valve began Electron-ifying the Steam client, CS has used a chromium-based HTML5 engine to display it's user interface and HUD. For a web browser sitting inside a video game, it's surprisingly performant and not terrible, especially sitting next to Valve's other attempts. But in Counter-strike 2, Valve forgot to sanitize Steam usernames in the voting window.

What this means is that players can join your CS game and literally XSS you by just joining your server and then calling a command to votekick themselves. You would think a massive game company would know better, but I guess not. This was just discovered lastnight it seems.

People seem to be using <img> tags as fitting Javascript code into a Steam username is... well, impossible. So the preferred method to exploit this is to have an embed linking to a PHP file on somebody's server. This is currently being used to steal the IP addresses of players.
archive


Forum thread where people were testing it out: https://archive.is/3IPpk
ReportReply
iiyamamonitor
Joined11/15/23
Posts8
Dec 13th, 2023 at 2:20 pm
#2068
bonkmaykr
Jump
Here's a funny one. You've ever seen a web browser exploit inside of Source?

Eversince the Panorama UI update to CS:GO in 2018, around the same time Valve began Electron-ifying the Steam client, CS has used a chromium-based HTML5 engine to display it's user interface and HUD. For a web browser sitting inside a video game, it's surprisingly performant and not terrible, especially sitting next to Valve's other attempts. But in Counter-strike 2, Valve forgot to sanitize Steam usernames in the voting window.

What this means is that players can join your CS game and literally XSS you by just joining your server and then calling a command to votekick themselves. You would think a massive game company would know better, but I guess not. This was just discovered lastnight it seems.

People seem to be using <img> tags as fitting Javascript code into a Steam username is... well, impossible. So the preferred method to exploit this is to have an embed linking to a PHP file on somebody's server. This is currently being used to steal the IP addresses of players.
https://files.worlio.com/users/bonkmaykr/media/worlioforums/webtoday/firefox_bq0aMLUUYL.png archive
https://files.worlio.com/users/bonkmaykr/media/worlioforums/webtoday/yt5s.com-Counter-Strike%202%20XSS%20Exploit%20IP%20Capturer%20POC-(1080p).mp4Forum thread where people were testing it out: https://archive.is/3IPpk
This is the most passive aggressive way people used knowledge of putting images as usernames but it being pom is too overpowered
ReportReply
Guest posting not allowed
Please log in to post a reply.