| ▲ | rainonmoon 13 hours ago | |||||||
Except discord.com doesn't execute JavaScript, the user's browser does. These are meaningful distinctions that delineate the impact. You aren't "discord.com" if you target someone with an XSS exploit, you've only run a script in a user's session. Whether you can actually do anything with that script or not decides whether you can take over the account or not. | ||||||||
| ▲ | rvnx 13 hours ago | parent | next [-] | |||||||
Yes, I agree, it’s a cool discovery though | ||||||||
| ▲ | llmslave2 13 hours ago | parent | prev [-] | |||||||
Everybody knows that XSS is a client side exploit, you're acting naive by pretending like we're claiming it gives access to a server and ignoring the fact that having control of the client gives you de facto control of whatever account is logged into the client. | ||||||||
| ||||||||