Tuesday, 25 September 2018

[XSS] survey.dropbox.com


Introduction: 

survey.dropbox.com was pointing to mysurveylab.com and any mysurveylab.com's forms was accessible through survey.dropbox.com. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.

Impact: Nothing as far as I know. Except phishing!


POC:




Vulnerable section:




Timeline:
  • Reported: Jan 14th 2017
  • Closed as Informative: Jan 14th 2017
  • MySurveyLab fixed the bug within week(not sure).




No comments:

Post a comment