medmahmoudi26 / carpool

Application de covoiturage et gestion de parking
0 stars 0 forks source link

Demo report: XSS in lotus123 H1B home page #2

Open medmahmoudi26 opened 2 years ago

medmahmoudi26 commented 2 years ago

Link: https://hackerone.com/reports/1717169
Date: 2022-09-29 19:40:05 UTC
By: demo-hacker
Weakness: Absolute Path Traversal

Details:
In some fantasy world, the home page of lotus123 H1B is vulnerable to an imaginary Cross-Site Scripting attack.

  1. Visit home page of lotus123 H1B
  2. Open the browser's javascript console
  3. Type alert(/xss!/) and press enter
  4. Profit!

Impact

In our fantasy world, exploiting this vulnerability allows us to run an external script on your website that for example steals the cookies of the users that's facing the XSS and thus gaining access to the account of the victim.

medmahmoudi26 commented 2 years ago

medmahmoudi posted a comment on HackerOne:

test 2

medmahmoudi26 commented 2 years ago

test