Path: /catalog/subscribe

/catalog/subscribe			
Cross-site scripting (reflected)

Vulnerability 1: Reflected XXS

What is reflected XSS (cross-site scripting)? Tutorial & Examples | Web Security AcademyWebSecAcademy

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Impact:

The impact of the vulnerability is a complete compromise of the victim's account, enabling unauthorized actions, data access/modification, and potential propagation of attacks impersonating the victim.

Exploiting:

First, ensure to capture the request. Navigate to the website, enter a valid email address, and click on the subscribe button.

In the email ID field, I intend to insert a cross-site scripting (XXS) script to verify whether it is processed by the browser.

Note: I am logged in as a Chalos user currently.

<script\x20type=\"text/javascript\">javascript:alert(1);</script>

We just got this error and not any popup or alert.

Trying Another exploit:

'`\"><\x3Cscript>javascript:alert(1)</script>

It is giving same error.

Trying basic XXS script.

<script>alert(1444)</script>

After forwarding the payload, we received a coupon. This is standard behaviour that occurs following the submission of the request.

Upon this attempt, no error was encountered. Instead, the payload was displayed where the email ID should be. This indicates that the payload is not being evaluated in the background.

PreviousPath: /blog NextPath: /catalog

Last updated 11 months ago

Was this helpful?

hashtagVulnerability 1: Reflected XXS

Vulnerability 1: Reflected XXS