Unsanitized Data – An XSS Case Study                                 Chapter 4


































            Gathering Report Information

            There's a lot of information that we'll need about the vulnerability we've discovered, info
            that will be necessary or useful across submission platforms and styles.



            Category

            Very simply, this is the category the bug falls into. In our case, it is Persistent XSS.


            Timestamps

            If you're using an automated or just code-based solution to touch the target, taking
            timestamps is a must d the more accurate the better. If, like us just now, you manually
            entered a malicious snippet, simply the time after the discovery will suffice. Giving the time
            of discovery in UTC will save the developer who is fielding the report from doing a mental
            timezone conversion before analyzing logs, usages charts, and other monitoring tools.







                                                    [ 69 ]