Hay,
Today i am going to show how i found XSS on site your-domain.redacted.com who provide
Help Desk & Live Chat Software.
Now in the signup page i am trying to create a account with the payload in
Full name but it showing error "
Invalid name on name"
 |
| Signup page |
|
then i filled it with my name and i finished signup. It redirect me to
https://your-domain.redacted.com/agent/index.php#GettingStarted;
Without checking other staffs i go to
Edit profile
 |
| Setting page after signup |
|
and here i can able add
XSS Payload in Name field also in Alias field ( image bellow )
 |
| Setting Page |
After save this
Setting when i back to my Dashboard nothing happen i mean no
PopUp
 |
| Profile after added payload, No XSS |
|
Then i am start looking into source code what actually happening.After scrolling source code suddenly my eyes stuck into a
JS code
 |
| before bypass |
Oh boy! </script> blocking the <script> here so again i get my ass back into
Edit Setting then i filled
Name with xss payload
Payload: </script><script>alert(document.domain);</script>
Then i save it, and back to my Dashboard and tada! XSS Executing success.
 |
| XSS Popup |
 |
| After added new payload |
|
 |
| I start dancing like this ππ |
Status:
------------------
30-09-2018 - Reported to the team
02-10-2018 - Issue Resolved ( No Bounty No HoF π )
Merkur Gold Strike Safety Razor - FEBCASINO
ReplyDeleteMerkur's Gold casinosites.one Strike Safety Razor, febcasino.com Merkur https://febcasino.com/review/merit-casino/ Platinum λ©μ΄νΌλ‘μΆμ₯λ§μ¬μ§ Edge Plated Finish, ν ν German, Gold-Plated, Satin Chrome Finish. Merkur has a more aggressive looking,