- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 26.09.2024
Last edited by cbay - 25.10.2024
Opened by waloodi_109 - 26.09.2024
Last edited by cbay - 25.10.2024
FS#81 - Encoded XSS and SQL Injection in Registration Page
Hello Team,
I hope you are doing well. I found a Encoded XSS and SQL Injection In Registration Page Which is Redirecting to 500 Internal Server Error.
Steps:
1. Go to https://www.alwaysdata.com/en/register/ 2. Input Full Url Encoded XSS(%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e)@mail.com in Email Address and then input password.
3. Click on Login Button.
It will redirect in 500 Internal Server Error.
Impact
Reflected XSS, An attacker can execute malicious javascript codes on the target application (email input specifically). It is highly recommended to fix this one because it is found in sensitive input (email).
Kind Regards.
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Any Update Sir??
Hello,
So you simply get a "500 Internal Server Error"? There's no injection whatsoever in your scenario.
Kind regards,
Cyril
Input this in email address place %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e)@mail.com and then put your password in password field then click on login you will be redirect on 500 error.
ignore the close bracket