- Feb 27, 2011
- 21
I found this the other day. Basically the store locator echo's your text back, but they forgot to include HTML entities. So your html tag gets echo'd back and displayed on the page.
Example: https://www.puma.com/stores?campaig...o_nova.png" /><b>XSS Vulnerability!!!</b></p>
With iframe's and CSS the page can be fully defaced.
Example: https://www.puma.com/stores?campaig...o_nova.png" /><b>XSS Vulnerability!!!</b></p>
With iframe's and CSS the page can be fully defaced.