[*] :: Title: ZARest POS - restaurant point of sale web application v2.0.0 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-07
[*] :: Software: ZARest POS - restaurant point of sale web application v2.0.0
[?] :: Technical Details & Description:
# Weak security measures like no input fields data filtering has been discovered in the «ZARest POS - restaurant point of sale web application» web-application. Current version is 2.0.0.
[?] :: Demo Website:
# https://codecanyon.net/item/zarest-pos-restaurant-point-of-sale-web-application/17837041
# Backend: http://www.dar-elweb.com/demos/zarest
# Login/Password (admin): admin/password
# Login/Password (manager): sale/password
[!] :: Special Note:
# After injections you'll see that some blocks on the edited page are broken cause of poor code quality.
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Stored XSS Injection]:
# Go to the demo website http://www.dar-elweb.com/demos/zarpos and log in as admin or as a manager. Then go to any page you want and inject your payload in any textfield, cuz they are all not protected. Save the data and your payload will be successfully injected.
# Sample payload: "><script>alert('QUIXSS');</script>