XSS mitigation by hcs at 12:06 PM EDT on October 3, 2019
Well, someone submitted a XSS vulnerability notification to a bug bounty program that I'm not registered with, and which requires a Twitter account. Thanks, I guess, though I don't know why the heck they'd tie it to Twitter, it sounds like a phishing attempt that way.
The only thing I know of is it's easy to do something like this, but that requires interaction. Cookies have been https-only for a while (though CSRF is still possible). If anyone notices other possibilities, please do let me know. Otherwise I guess we'll see in January if they choose to disclose it then. If you're reading this, feel free to post it sooner.
As a general purpose mitigation I'm turning on Content-Security-Policy, an easy step that I've meant to do for a while. There isn't any reason to allow any kind of JS on here anyway. I'm restricting img src to https while at it, which will break some images. If anything else breaks, let me know.
This only helps with modern browsers, but I think that covers most of you. Ideally the whole mess would be rewritten, off the top of my head keeping HTML in the database was a bad decision, but I don't have the time or inclination to do that now.
Yeah, it looks legit, it's just that Twitter seems like a weird identity to require, given how hard it is/has been to secure, and how it isn't connected to a web site. I deleted my rarely used account last year, the last thing I need now is more social media, but I guess I can open one now if it doesn't require a phone number anymore.
---
Oh, I wasn't even reading this right, I can just email the guy directly (I had assumed there was some eBay-style intermediation).