AmberCutie's Forum
An adult community for cam models and members to discuss all the things!

Too many unusable apps and attempts to break the XSS filter

  • ** WARNING - ACF CONTAINS ADULT CONTENT **
    Only persons aged 18 or over may read or post to the forums, without regard to whether an adult actually owns the registration or parental/guardian permission. AmberCutie's Forum (ACF) is for use by adults only and contains adult content. By continuing to use this site you are confirming that you are at least 18 years of age.
Status
Not open for further replies.
May 25, 2016
31
17
103
Twitter Username
@silici00
Chaturbate Username
silici0
(Sorry for my english)

A website does not only have to be safe but also look like a safe website.

There are more than 1500 apps & bots that are unusable in chaturbate, most of them are attempts to break the XSS filter. Can someone erase them?

I notify to chaturbate support once a month but I only get an automatic response.

Many models ask if it is safe to use a new application or if it will work properly and part of the fault is all the garbage that remains in that section for years without being eliminated by anyone.

It does not seem right to have an exposure of 1000 attempts to break the xss filter.
It does not seem right either that applications that contain only a few words in the code and do not work at all are left for years.

Thank you for reading it.
 
  • Like
Reactions: NotYou
So what harm is there? Is it just a nuisance and clutter? Or are you concerned some of these scripts may successfully bypass XXS?
 
Upvote 0
There was a problem with the names of the applications that apparently resolved, I do not know an official statement about the problem but the problem was real.
They can prevent a person from creating 500 applications in a single day and they can delete applications that only contain one line of code.


You enter to your bank's website and see many phishing and scam attempts in the web, do you worry or let it go?
Surely my first thought is not: "Surely they have solved it but they leave it there because it looks very nice, what a beautiful and safe bank's web".
The first thing is to ask about security and the second question because they do not erase it. It does not make sense to leave something like that.

But since chaturbate is not a bank and it has nothing to do with my money or my data, we are all calm ... Oh, wait!

Information about XSS in chaturbate : https://hackerone.com/reports/384814
 
Upvote 0
I am happy to see that a good part of the aforementioned Apps & Bots have been eliminated today.

It only remains that people learn to use the testbed instead of real chaturbate to test their applications but that is a lossing battle.
 
Upvote 0
I am happy to see that a good part of the aforementioned Apps & Bots have been eliminated today.

It only remains that people learn to use the testbed instead of real chaturbate to test their applications but that is a lossing battle.
Thanks for bringing this to our attention. As you've noticed, tech is cleaning up the list.
 
Upvote 0
i thought that CB have all those protections in place like or XSS, CSRF (e.g. to keep it in the browser's sessioStorage and not as a cookie, etc.), injection attacks (OWASP top 10, etc.).
what XSS attacks / scripts they manage to do so far? did they actually manage to script that a model that execute the bot would send tokens to 3rd party, etc.without her knowledge ?
 
Upvote 0
There were no problems with running an app or bot, rather with visiting the page of that application.

The user names and the names of the applications become part of a chatubate url when you create one of them.
The url of the rooms and the pages of the apps are formed with those names. that's the problem. If you write a username or app that contains part of the code you can execute code or redirect the user to another url.

To avoid that Chaturbate has filters in the names and in the bios. The names of the app were not being filtered correctly.

The problem was solved but there is always someone who tries anyway.
 
Upvote 0
what you described is more sounds like injection attack.
those are simply solved with input validation filters (mod_proxy/mod_security, etc.)
 
Upvote 0
Cross-Site Scripting attacks are a type of injection.
In this case the validation input of applications names was not correctly configured but now it's ok as I've said before.

Input validation is especially helpful at preventing XSS in forms like the apps name but is not a primary prevention method for vulnerabilities such as XSS and others. Chaturbate has many security systems and it works perfectly.

There are many rules in security software like modsecurity and there are a lot of ways to avoid them so they must be configured well and constantly updated.
 
Upvote 0
Status
Not open for further replies.