Stored XSS Vulnerability in Jotform and H1C Private Site




Recently, I found a critical stored Cross Site Scripting vulnerability in Jotform and other private site.

By exploiting the bug, hackers can easily takeover any user account.


Attack Scenario:

Victim creates any form like survey or contact form.
Hackers get and visits the form URL.
Now, Hacker just enter the script in the Name field and submit the form.
When victim login to his account and check the form entries or submissions, script got executed.
Then hackers can easily takeover the victim account.

I reported this bug to Jotform security team, they fixed the issue and rewarded me a small bounty.




 
Later, I found the same bug in H1C (Hackerone Challenge) private site.







They accepted and Triage my report and rewarded me a $1000 bounty.




Also, I found the same bug many times in other sites.





Thanks for reading 

Hope you like this article.

Comments

Popular posts from this blog

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie

Email Spoofing for Beginners