Bug type: Stored Cross Site Scripting (XSS) and HTML Injection — Part 2

Hey Everyone!

This is my second write-up and I have successfully caught another low-hanging fruit in one of the prominent online reseller’s web applications (Cannot disclose the name of the website, the issue is not resolved yet).

I was exploring this web application manually which is running a self-hosted vulnerability disclosure program (Found through google dork).

As usual, I registered myself in the web application by injecting the HTML and XSS payload in all possible input fields (First name, last name, etc.) Unfortunately, no reflection of the HTML payload or popup for XSS occurred on any of the pages. I checked all the possible pages where the input field is appearing to see if the payload is getting reflected or not.

Since the web application was selling products online so I thought it could be possible that the payload may reflect on the checkout page but again no reflection. One thing I noticed was that during checkout it was asking me to add the Address, so I clicked and injected the payload in all the input fields of the address (Shown in Figure 1).

Figure 1

The moment I clicked on “Save & continue” I got the XSS popup for cookies and HTML injected payload is also reflected (Shown in Figure 2 and 3).

Figure 2 (XSS)
Figure 3 (HTML Injection)

I made the POC and recording stuff, forwarded it to the respective organisation and hopefully it will be resolved very soon. Thanks a lot for reading! Stay Curious Stay protected !

Feel free to get connected ===>

YouTube channel: https://www.youtube.com/channel/UCYm4DMbIqHaOWhJh5JV4Bxw

LinkedIn: https://www.linkedin.com/in/vaibhav-kumar-srivastava-378742a9/