ZARest POS - restaurant point of sale web application v2.0.0 Stored XSS Injection

2019.05.07
ru QUIXSS (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: ZARest POS - restaurant point of sale web application v2.0.0 Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-07 [*] :: Software: ZARest POS - restaurant point of sale web application v2.0.0 [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering has been discovered in the Ā«ZARest POS - restaurant point of sale web applicationĀ» web-application. Current version is 2.0.0. [?] :: Demo Website: # https://codecanyon.net/item/zarest-pos-restaurant-point-of-sale-web-application/17837041 # Backend: http://www.dar-elweb.com/demos/zarest # Login/Password (admin): admin/password # Login/Password (manager): sale/password [!] :: Special Note: # After injections you'll see that some blocks on the edited page are broken cause of poor code quality. [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Stored XSS Injection]: # Go to the demo website http://www.dar-elweb.com/demos/zarpos and log in as admin or as a manager. Then go to any page you want and inject your payload in any textfield, cuz they are all not protected. Save the data and your payload will be successfully injected. # Sample payload: "><script>alert('QUIXSS');</script>

References:

https://codecanyon.net/item/zarest-pos-restaurant-point-of-sale-web-application/17837041
https://twitter.com/quixss


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top