.png)
3 weeks ago
27 BOOK THIS SPACE FOR AD
ARTICLE ADRecently, I was doing a Grey Box pentest of webpage, this means company provided with admin panel credentials also. The main webpage which is for normal users it has the functionality to apply for some kind of license.
For license application users need to fill various fields and provide with some documents for verification purpose.
The license application takes “first name and last name” fields prefilled which is given while creating the account or they can also be edited in profile settings.
Finding Blind XSS
In first name and last name fields, I entered blind cross site scripting payload.
For payload I used, https://xsshunter.trufflesecurity.com/ and submitted the new license application with blind xss payload in first and last name fields.
For validation, I opened admin panel and check for license application section and what? the payload got EXECUTED!!!
On https://xsshunter.trufflesecurity.com, admin user cookie, IP address, user agent, and url came.
Follow for more regular blogs on my findings.
Let’s talk on Linkedin: https://www.linkedin.com/in/muhammad-abdullah-32a753208/
Till that GOOD BYE!!
Bengali (Bangladesh) · 
English (United States) ·