Online Time Tracking Cross Site Scripting

Posted on 26 August 2014

# Affected software: Online Time Tacking - URL: https://paydirtapp.com/ # Discovered by: Provensec # Website: http://www.provensec.com # Type of vulnerability: XSS Stored # Description: Paydirt is time tracking and invoicing software made for browser-based freelancers and small businesses. It keeps track of who you're working for so that you don't have to. Paydirt is currently integrated with Chrome and Firefox, and will prompt you to track time based on the websites you're using and the emails you write. # Proof of concept: 1 Goto https://paydirtapp.com/clients 2 Add a new client with any xss payload example ("><img src=d onmouseover=prompt(1);>) 3 Now goto https://paydirtapp.com/clients again and XSS Works 4 Add new client then goto https://paydirtapp.com/quotes create new quote goto select client and XSS Works Screenshot http://prntscr.com/4fe3zq

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Relate Cross Site Scripting
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference

Last 20