I just found XSS vulnerability on one website. I have two problems with it
• 1. As like other websites it have two options ONE -LOGIN_ID & PASSWORD and SECOND - Forgot your password.
When I clicked on 'Forgot your password' one field is appearing [like pop-up] when I put XSS vector to that field, This field shows output of vector, [<script>alert('XSSPOSED')</script>] and then print '<XSS_vector> not found in database'. I also tried one Image from internet in this field, this image also appearing means vulnerability is there, but when I tried to find post data of that webpage by FIrebug then webpage shows there is no more POST data requests.
• 2. And second problem is with url. Original vulnerability founded at 'forgot password' option field not on domain_name/login.php but there is not any url for 'forgot password' [they are showing same url i.e.domain_name/login.php]
So if I report it and give it to xssposed like following
* XSS URL: domain_name/login.php
* POST data (application/x-www-form-urlencoded): none
* Cookies: Cookies from website
then is it OK? Unless I will send them video or screenshot of that output [but there is not such upload field in report form] so I don't know what to do ?
I hope you will understand my problem and help me !
Regards,
Yadnyawalkya Tale,
[email protected]
Vulnerability and POST data
- Attachments
-
- fifth
- 5.png (126.54KiB)Viewed 25614 times
-
- second
- 2.png (49.31KiB)Viewed 25614 times
-
- First
- 1.png (38.54KiB)Viewed 25614 times
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Vulnerability and POST data
Looks like self XSS which wouldn't be accepted. However, I'd still recommend reporting it to the administrator as it's certainly a bug.
Is your XSS vector included in any of the GET requests? If it is, rarely but worth mentioning, going to the location of that GET request can trigger the XSS and give you a GET to submit
Is your XSS vector included in any of the GET requests? If it is, rarely but worth mentioning, going to the location of that GET request can trigger the XSS and give you a GET to submit
Re: Vulnerability and POST data
we can't approve report without POC codeyvtale wrote:
So if I report it and give it to xssposed like following
* XSS URL: domain_name/login.php
* POST data (application/x-www-form-urlencoded): none
* Cookies: Cookies from website
then is it OK?
Re: Vulnerability and POST data
You have to read more, these are not the xss'es as expected.yvtale wrote:
They are just dust for now, i believe you will learn it soon, till that time, stop posting all screenshots to everywhere please.
Re: Vulnerability and POST data
Yes sir thanks for suggestion !tbmnull wrote:You have to read more, these are not the xss'es as expected.yvtale wrote:
They are just dust for now, i believe you will learn it soon, till that time, stop posting all screenshots to everywhere please.
Who is online
Users browsing this forum: No registered users and 2 guests