Reflected XSS Primagames.com

Long story short, I’ve emailed them a few times, tweeted at them and no answer to fix their security.

I have decided to do a full disclosure regarding this.

You have a reflected XSS vulnerability located at this domain: https://shop.primagames.com/us/search?p=

This was tested on the latest version of Firefox 61.0.1 (64-bit).

By entering this payload in the URL, you are able to execute a script (XSS):

<img/on=><img/onerror=%27confirm(1)%27src=%23>
…. We get the famous confirm(1) to popup!

Impact:

This allows an attacker to inject custom Javascript codes that can be used to steal information from Primagames’s user base and lure them to malicious websites on the internet on behalf of Primagames’s website.

Once again, this post is NOT meant to do anything harmful to the website. I am just a security researcher who is trying to help secure your website — other websites as well.

I hope you see this post and fix your issue very soon and secure your users.

If you have any questions or comments, feel free to message me on Twitter @Skeletorkeys

Thanks for reading.