Unauthenticated CSRF to XSS on login page

Main / Unauthenticated CSRF to XSS on login page

Discription

# Description
The “`user-email“` parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user.
To exploid the vulnerability, since the it is a “`POST“` request, it’s necessary an HTML poc in order to trigger a CSRF on the login form which exploits the XSS

# Proof of Concept
– insert in a empty HTML file this PoC:
“`

“`

– Now open the file just created in a browser when the user it’s not authenticated. This is the result:

![image](https://i.imgur.com/1zdcBlP.png)Read More

References

Back to Main

Subscribe for the latest news: