While testing on website ,I found security vulnerability/bug on website https://www.inflectra.com/. This website provides Hall of Fame for Bug Hunters or security researchers to report the vulnerability.So i decided to test this website.By luck and my hard work I found 2 XSS vulnerability on this website.1st was Reflected XSS and another was Persistence XSS.
Vulnerability 1:
Vulnerability Type: Reflected XSS(Cross site scripting)
Vulnerable Link: http://www.inflectra.com/ Support/External.aspx
Payload used: "/><img src=x onerror=alert(/XSS-Tested-By- Yogesh-Prasad/)>
Reproduction step:1- Go to http://www.inflectra.com/ Support/External.aspx2- In search box "First search box" use above given payload.
Vulnerability 2:
Vulnerability Type:Stored XSS(Cross site scripting)
Vulnerable Link 1: https://www.inflectra.com/ Support/Account/Register.aspx
Vulnerable Link 2: https://www.inflectra.com/ Support/Account/Default.aspx
Payload used: "/><img src=x onerror=alert(/XSS-Tested-By- Yogesh/)>
Reproduction step:1- Go to https://www.inflectra.com/ Support/Account/Register.aspx
2- In the First name and Last name boxes use above given payload.and in remaning field use rough details for test
3-Press Enter and your account will be created.
4- Now in "top right side" you will get the option of profile shown with your username as shown in below picture.
Proof:
For reporting this vulnerability I got listed in their Hall Of Fame Page.
http://www.inflectra.com/Company/Responsible-Disclosure.aspx
Vulnerability 1:
Vulnerability Type: Reflected XSS(Cross site scripting)
Vulnerable Link: http://www.inflectra.com/
Payload used: "/><img src=x onerror=alert(/XSS-Tested-By-
Reproduction step:
Press Enter and you will get the "popup box" generated by XSS.
Proof:
Proof:
Vulnerability 2:
Vulnerability Type:Stored XSS(Cross site scripting)
Vulnerable Link 1: https://www.inflectra.com/
Vulnerable Link 2: https://www.inflectra.com/
Payload used: "/><img src=x onerror=alert(/XSS-Tested-By-
Reproduction step:
2- In the First name and Last name boxes use above given payload.and in remaning field use rough details for test
3-Press Enter and your account will be created.
4- Now in "top right side" you will get the option of profile shown with your username as shown in below picture.
Proof:
For reporting this vulnerability I got listed in their Hall Of Fame Page.
http://www.inflectra.com/Company/Responsible-Disclosure.aspx
No comments:
Post a Comment