Cross-site Scripting (XSS) - Reflected in microweber/microweber
Jan 2nd 2022
PAYLOAD for firefox:
a' onafterscriptexecute=alert(document.domain) c='a (requires NO user-interaction)
PAYLOAD for all major browsers:
a' onclick=alert(document.domain) c='a (requires user-interaction)
NOTE: I'm using firefox, so I used the first payload in the PoC. You can refer to https://portswigger.net/web-security/cross-site-scripting/cheat-sheet to know which xss payloads can be triggered in other browsers
Proof of Concept
- On firefox browser, visit
XSS alert will pop-up showing the domain name.
- Steal CSRF token of the users and do any unintended actions on their behalf like buy a product etc.
and many more...