Vulnerable Service: https://developers.jotform.com
Description: The service mentioned above is vulnerable to Persistent XSS, due to which an attacker is able to steal user cookies which may lead to account hijacking.
Demo XSS thread:
https://developers.jotform.com/forum/post/<Removed>
- Click on "For Testing Purposes" to see the alert message.
Payload: javascript:alert('I_Am_Vulnerable_To_XSS');
Steps of Reproduction:
-Create a new thread & in thread editor click "Add hyperlink" button.
-Now instead of URL, paste payload there.
-"http://" will be automatically added to the payload, you need to remove that.
Proof of Concept:
Bounty:
Amit is a Security Engineer acknowledged by Google, Apple, Microsoft, eBay, Intel and other top companies for reporting security issues in their web services.
0 comments:
Post a Comment