Home / os / wince

Popup Blocker Pro Chrome Extension Stored Cross Site Scripting

Posted on 30 November -0001

<HTML><HEAD><TITLE>Popup Blocker Pro Chrome Extension Stored Cross Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Summary : Pop-Up Blocker Pro latest version suffers from Stored Cross Site Scripting Products Affected : Version 1.3.5 Chrome Extension Link : https://chrome.google.com/webstore/detail/popup-blocker-pro/kiodaajmphnkcajieajajinghpejdjai?hl=en Proof of Concept : The file options/options.htm suffers from Stored XSS due to lack of output filter. Go to chrome-extension://kiodaajmphnkcajieajajinghpejdjai/options/options.htm After that, in the Whitelisted Sites section, add the Payload <script>alert(1)</script> and press enter. After that each time you visit the extension link, it would prompt a Stored XSS. Credits: Aaditya Purani </BODY></HTML>

 

TOP