This is a reported "Self XSS" on zagat.com which i've reported it responsibly on 19/05/2012 and Google have fixed it within days.
Severity: Self-XSS
Confidence: Certain
Host: http://www.zagat.com
Path: GET /search/location
Issue detail:
The XSS vector in my examples is
"><img src=x onerror=prompt(1);>
I submitted it in between the value of "location field". In this case i took "annandale, va" for my example.
This input was echoed as
annan"><img src=x onerror=prompt(1);>+dale%2C+va
in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated how do i make use of a dynamically evaluated expression which allows me to introduce arbitrary JavaScript into the document.
Note that this technique is works on all the browsers i have installed currently.
This is the screenshot after i sent the payload.
Reported by: Jacob Soo
Vendor Notification: May 19, 2012
Resolution: May 24, 2012
No comments:
Post a Comment