Cross Site Scripting Vulnerability in CISCO.

Saturday, March 5, 2016

Cross Site Scripting Vulnerability in CISCO.

CISCO is a well known company that designs, manufactures and sells networking devices.While testing on website of CISCO i found a stored cross site scripting vulnerability there.I reported this vulnerability to CISCO , after a long conversation they fixed the bug and awarded me an Appreciation certificate after 3 months.

Vulnerability Type: Stored XSS
Vulnerable Link: https://res.cisco.com

Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-Yogesh-Prasad/)>

Reproduction steps:
1-Go to https://res.cisco.com/websafe/login.action
2-Login to your account.
3-click on compose message and send a message to any email(x).
4-Now you will find an attachment in email(X) with .html extension.
5-Click on view on attachment.
6-Now in To section,you will foind a dropdown,"select address not listed"
7-Click on open,Click on yes during confirmation.
8-Now in email box use the above given payload Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-Yogesh-Prasad/)>
9-Press Enter and you will get the "popup box" generated by XSS.

Proof :

Appreciation Certificate Awarded by CISCO :

3 comments:

Shehu AwwalApril 14, 2016 at 11:24 AM
Next time, you should do a video PC not writeup only it will give a clearer view of your POC,.. Thanks
ReplyDelete
Replies
SamatajulliMay 11, 2016 at 3:42 AM
The step by step contents were easy analyzing. But output of screen chat its really workout to the post.

SAP training in Chennai
ReplyDelete
Replies
Maani kamiliJune 15, 2016 at 12:22 AM
I read a weblog, I hope that it doesnt sadden me as much as this one. I’m talking about, I know it was my selection to read, but I actually thought youd have something interesting to say. Great work admin..

Digital marketing company in Chennai
ReplyDelete
Replies

Add comment