CISCO is a well known company that designs, manufactures and sells networking devices.While testing on website of CISCO i found a stored cross site scripting vulnerability there.I reported this vulnerability to CISCO , after a long conversation they fixed the bug and awarded me an Appreciation certificate after 3 months.
Vulnerability Type: Stored XSS
Vulnerable Link: https://res.cisco.com
Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By- Yogesh-Prasad/)>
Reproduction steps:
1-Go to https://res.cisco.com/websafe/ login.action
2-Login to your account.
3-click on compose message and send a message to any email(x).
4-Now you will find an attachment in email(X) with .html extension.
5-Click on view on attachment.
6-Now in To section,you will foind a dropdown,"select address not listed"
7-Click on open,Click on yes during confirmation.
8-Now in email box use the above given payload Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By- Yogesh-Prasad/)>
9-Press Enter and you will get the "popup box" generated by XSS.
Proof :
Appreciation Certificate Awarded by CISCO :
Vulnerability Type: Stored XSS
Vulnerable Link: https://res.cisco.com
Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-
Reproduction steps:
1-Go to https://res.cisco.com/websafe/
2-Login to your account.
3-click on compose message and send a message to any email(x).
4-Now you will find an attachment in email(X) with .html extension.
5-Click on view on attachment.
6-Now in To section,you will foind a dropdown,"select address not listed"
7-Click on open,Click on yes during confirmation.
8-Now in email box use the above given payload Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-
9-Press Enter and you will get the "popup box" generated by XSS.
Proof :
Appreciation Certificate Awarded by CISCO :