bodgeit Additional XSS attack in contact.jsp not counted as passed challenge -- XSS in contact.js

Additional XSS attack in contact.jsp not counted as passed challenge -- XSS in contact.js

Open julianthome opened this issue 6 years ago • 0 comments

It is possible to run a XSS attack through the contact.jsp servlet that allows attackers to run arbitrary javascript code on the contact.jsp page itself and on admin.jsp.

Go to contact.jsp as guest user
Switch on network traffic recording (through your browser or proxy)
Click the submit button
Change both the null and comments fields to %3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E (e.g. null=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3Enull=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E).
Login as admin user
Two pop-up boxes with the text hello should be displayed

Dec 01 '17 14:12 julianthome

bodgeit bodgeit copied to clipboard

Additional XSS attack in contact.jsp not counted as passed challenge -- XSS in contact.js

bodgeit
bodgeit copied to clipboard