Open URL Redirection and Xss In Dato Capital
[ads]
This post is published by Ahsan Tahir as a contributor on Bug Bounty POC .Note that the post is written by Ahsan Tahir, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform just sign up on blog and you can post freely.
Hello Bug Bounty Poc viewers, this is Ahsan Tahir, and this is my second write-up on bug bounty poc, so this time I’ve found Open URL Redirection & Xss In Dato Capital.
Let’s quickly get onto the topic!
So, the two bugs were following:
- Open URL Redirection
- Cross Site Scripting
Open URL Redirection:
STEPS TO REPRODUCE:
- Go to this URL: https://en.datocapital.com/isn/Login?u=https%3A%2F%2Fwww.google.com.pk%2F
- Log in to your account
- You will be redirected to Google.com.pk
[ads]
Cross Site Scripting (XSS):
STEPS TO REPRODUCE:
- Login to account
- Go to menu
- Click on Edit profile
- Check mark on generate invoices
- In all fields, enter this payload: “><img src=”x” onerror=prompt(document.domain)>
- Again click on edit profile, xss will pop-up!
VIDEO PoCs:
https://www.youtube.com/watch?v=r2QetgAPZHg
https://www.youtube.com/watch?v=jVcWtACaCPY