Skip to main content

Posts

Showing posts from May, 2015

Featured

Stealing CSRF tokens using XSS on Signup page

I'm assuming everyone reading this blog post know what CSRF and XSS are.If you don't, having a quick search on google can yield you many results. While crawling for vulnerabilities and searching on google, navigating through pages. I finally landed on a website. As per disclosure policies I'm not allowed to disclose the company/website. So lets use REDACTED.com. Doing recon using passive and active techniques. I found no sub-domains , no low hanging vulnerabilities. Every mechanism works pretty fine or may be I missed something. After hours of testing, signup page caught my attention. I was like "How did I miss this..." Navigated to https://www.REDACTED.com/signup After analysis, the url input fields are vulnerable to XSS. But it turns out to be useless because it's on signup page.I though of exploiting it. First I registered an account and verified it using the confirmation link I received in my inbox. I navigated to prof

Stored Cross site scripting( XSS ) in edmodo.com