Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system
Mar 26th 2021
🕵️♂️ Proof of Concept
You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system
Vulnerable Parameter: p0-start ( p1-start & p2-start also)
XSS Payload: 01/03/2021'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>
Once its installed sucessfully, Visit below POC link to trigger XSS:
With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.