Steam account phish site

This is one of the more clever ones I’ve ran across, incredibly good design. However it’s vulnerable to XSS.


Run a check on this site with ZAP, so dodgey. here is another weakness.

Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist.