Friday, April 17, 2015

XSS Bug on Paypal.com

1 comments
Hello Leets,

Today i am writing about my finding on Paypal.com

That's a XSS ( Cross Site Scripting )......

The Story began at the 31st December 2014 when all people's are enjoying the new year celebration and i was engaged in finding security bugs...

Then i was try to hunting a paypal site...

After lots of try i found a pattern to inject my code to execute the XSS bug..


So the Vulnerable perameter is   
q = 

Vulnerable link:
===========


https://www.paypal.com/directory/merchants?q=directory/merchants?q=&q=q=directory/merchants?q=&q=%22%3E%3Cimg%20src=x%20onerror=prompt%28document.domain%29%3E


Poc:
=====



Video Demo:
==========





The bug is fixed Now and paypal pays me a bounty of  750$...

Thanks Paypal team....