[*] :: Title: Zar POS - point of sale web application v3.0.0 Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-07 [*] :: Software: Zar POS - point of sale web application v3.0.0 [?] :: Technical Details & Description: # Weak security measures like no input fields data filtering has been discovered in the «Zar POS - point of sale web application» web-application. Current version is 3.0.0. [?] :: Demo Website: # https://codecanyon.net/item/zar-pos-point-of-sale-web-application/15955540 # Backend: http://www.dar-elweb.com/demos/zarpos # Login/Password (admin): admin/password # Login/Password (manager): sale/password [!] :: Special Note: # After injections you'll see that some blocks on the edited page are broken cause of poor code quality. [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Stored XSS Injection]: # Go to the demo website http://www.dar-elweb.com/demos/zarpos and log in as admin or as a manager. Then go to any page you want and inject your payload in any textfield, cuz they are all not protected. Save the data and your payload will be successfully injected. # Sample payload: "><script>alert('QUIXSS');</script>