Saturday, August 22, 2015

XSS in gov.ph --- Official Gazette

While randomly searching for websites to "pwn", I came across the website of the Official Gazette of the Republic of the Philippines (http://gov.ph) I just typed a payload in the search bar then voila! XSS vulnerable. I contacted them via Twitter and the XSS was fixed after a day. (they are serious on web vulnerabilities now, unlike before).




POC:



The vulnerable part was in their search bar.... Just type the payload you want. In my case I used the most common payload which is "><img src=x onerror=alert(document.domain)>.. 

Vulnerability has been fixed, check it out yourself :)


Thanks.


-----------No Timeline----------- 

No comments:

Post a Comment