> Why don't you include a POC? I have one that demonstrates this attack, but I don't want to show script kiddies how. If you can't figure out how to construct it by reading the above description and the network traffic, you don't deserve to know how.
I feel this is a bad way to approach it and a bad attitude in general. Showing people how this can be exploited (after responsible disclosure) is a great opportunity to spread awareness of potentially their own issues in the same space and create points of discussion. If a user feels compelled to do so, they can seek out the info. But to show disdain to the reader for their lack of knowledge comes off as unprofessional in spirit.
I disagree, and we'll just have to leave it at that. Anyone who knows how to construct an AJAX request and look at the Network tab can figure this out.
While I understand the point you made in that last sentence, the very last part of it sounded needlessly loaded even though I can easily figure such things out. Replacing "you don't deserve to know how" by, say, "you're not the target audience" or anything to that effect goes a long way to not detracting from getting your real point across.
BTW this last easily misunderstood sentence sits just above your "I'm available for hire" link, which is not exactly painting you in a bright light for recruitment.
Saying "You don't deserve to know how" is not a friendly and constructive message to send to your audience or potential employers. There's no mis-interpretation here, it's in bad spirit.
I feel this is a bad way to approach it and a bad attitude in general. Showing people how this can be exploited (after responsible disclosure) is a great opportunity to spread awareness of potentially their own issues in the same space and create points of discussion. If a user feels compelled to do so, they can seek out the info. But to show disdain to the reader for their lack of knowledge comes off as unprofessional in spirit.