CISCO is a well known company that designs, manufactures and sells networking devices.While testing on website of CISCO i found a stored cross site scripting vulnerability there.I reported this vulnerability to CISCO , after a long conversation they fixed the bug and awarded me an Appreciation certificate after 3 months.
Vulnerability Type: Stored XSS
Vulnerable Link: https://res.cisco.com
Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By- Yogesh-Prasad/)>
Reproduction steps:
1-Go to https://res.cisco.com/websafe/ login.action
2-Login to your account.
3-click on compose message and send a message to any email(x).
4-Now you will find an attachment in email(X) with .html extension.
5-Click on view on attachment.
6-Now in To section,you will foind a dropdown,"select address not listed"
7-Click on open,Click on yes during confirmation.
8-Now in email box use the above given payload Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By- Yogesh-Prasad/)>
9-Press Enter and you will get the "popup box" generated by XSS.
Proof :
Appreciation Certificate Awarded by CISCO :
Vulnerability Type: Stored XSS
Vulnerable Link: https://res.cisco.com
Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-
Reproduction steps:
1-Go to https://res.cisco.com/websafe/
2-Login to your account.
3-click on compose message and send a message to any email(x).
4-Now you will find an attachment in email(X) with .html extension.
5-Click on view on attachment.
6-Now in To section,you will foind a dropdown,"select address not listed"
7-Click on open,Click on yes during confirmation.
8-Now in email box use the above given payload Payload used: "/><img src=x onerror=prompt(/XSS-Tested-By-
9-Press Enter and you will get the "popup box" generated by XSS.
Proof :
Appreciation Certificate Awarded by CISCO :
Next time, you should do a video PC not writeup only it will give a clearer view of your POC,.. Thanks
ReplyDeleteThe step by step contents were easy analyzing. But output of screen chat its really workout to the post.
ReplyDeleteSAP training in Chennai
I read a weblog, I hope that it doesnt sadden me as much as this one. I’m talking about, I know it was my selection to read, but I actually thought youd have something interesting to say. Great work admin..
ReplyDeleteDigital marketing company in Chennai