No HoF for simple XSS becouse hbh have ip encrypted cookies, so try to use the vuln to exploit something different that a cookie stealer. I readed something like persistent xss that worked as keyloggers, but idk more.
Finding XSS holes on this site isn't hard, there's a few of mine listed on the bugs page. Larika: stealing cookies isn't nearly the only thing that can be done with XSS.
Note how this site doesn't require your old password to change your current password or your email address.
It would be quite possible to create an XSS which changes your current password to a random long string, changes your email address to mine and then sends me your new password. I've just stolen your account.
Alternatively if you have told your browser to store your username and password for your account I can steal that (which of course is in plaintrext). I did that to Cheese, that's how I got the HoF entry.
I can send you to another site to XSS you there.
I can do recon on your borwser (check your browsing history, what extensions you have installed etc)
XSS is NOT only for stealing cookies and XSS holes should therefore be fixed quickly.
Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.