Additional XSS attack not counted as a passed challenge

psiinon / bodgeit

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

263 stars 195 forks source link

Additional XSS attack not counted as a passed challenge #6

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

You can do an XSS attack on the Login form that does not count for any 
challenge result:

1. Go to http://localhost:18080/bodgeit/login.jsp
2. Provide Username user1@thebodgeitstore.com') --<script>alert("XSS")</script>

Original issue reported on code.google.com by bjoern.k...@gmx.de on 9 Aug 2013 at 8:08