Paragon Initiative Enterprises: Cross-site-Scripting

2017-05-04T21:39:30
ID H1:226203
Type hackerone
Reporter pahan1234
Modified 2017-05-05T20:50:29

Description

step: 1: goto https://bridge.cspr.ng/my/account of your account 2. in "Custom Profile field option" check the box and enter xss payload in "display name" field payload: "p<script>alert('xss')</script>" 3. update the information 4. open the account in INTERNET EXPLORER 11 and xss will executed

note: here server is not sanitize the user input properly, payload will not work in firefox,chrome browser due to "content-security-policy" But internet explorer does not Support "Content-Security-Policy" so xss will execut

this is stored xss and the display name will visible to everywhere, so its possible to account takeover of ther user