All posts by bede

This is a write-up on how I hooked my JJP Hobbit Pin to the Internet, enabling live streaming directly from the pinball machine, and allowing people to interact with my pin by displaying messages and images through the Internet on my pinball backglass.
All changes were to software, with the exception of plugging in a few cords.

TLDR; 7-minute overview video @


I discovered a single XSS finding, with the ability to pop-up only a numeric value. I was able to see that my variable was getting included inside of some javascript in the returned page. I started adding more commands with a semi-colon at the end and low and behold they worked! As long as I didn’t use a ‘>’ character and trigger the .NET validation routines. It’s interesting because you can inject just about any javascript you want, and that leaves a lot of room for client-side mischief like false web sites to harvest passwords, etc.

For the latest advisory Click Here