First of all, Happy Eid al Fitr 1440 H, please forgive any mistakes. Nothing in this world is perfect, including this writing.
Since the launch of the BSSN program titled V2DP or Voluntary Vulnerability Disclosure Program, many people have asked in discussion forums and social media groups about how to properly write a bug report after discovering a vulnerability. Here are a few tips from me on how to write a good report.
In the Surabaya Hacker Link Telegram group, I and @ytyao often create challenges such as web hacking, reversing, and others. However, in a previous challenge there was a small incident, the website was hacked. Well, the website was intentionally built to be hacked, but this hacker performed a mass wipe by deleting all files and folders. From that incident I learned something new, post incident handling, or commonly called Incident Response.
after briefly discussing XSS here, even though it was a bit messy, now it’s time to discuss how to prevent this bug from existing on our website
XSS can run / be executed because of loose <script> tags that are executed / rendered by the browser, therefore we manipulate the browser so it does not execute HTML tags that are input by users. But don’t worry, we’re not going to mess with the browser, just a little handling before user input is displayed on the website
