Reflected XSS Primagames.com

Friendly
Friendly
Aug 6, 2018 · 1 min read

Long story short, I’ve emailed them a few times, tweeted at them and no answer to fix their security.

I have decided to do a full disclosure regarding this.

You have a reflected XSS vulnerability located at this domain: https://shop.primagames.com/us/search?p=

This was tested on the latest version of Firefox 61.0.1 (64-bit).

By entering this payload in the URL, you are able to execute a script (XSS):

<img/on=><img/onerror=%27confirm(1)%27src=%23>
…. We get the famous confirm(1) to popup!

Impact:

This allows an attacker to inject custom Javascript codes that can be used to steal information from Primagames’s user base and lure them to malicious websites on the internet on behalf of Primagames’s website.

Once again, this post is NOT meant to do anything harmful to the website. I am just a security researcher who is trying to help secure your website — other websites as well.

I hope you see this post and fix your issue very soon and secure your users.

If you have any questions or comments, feel free to message me on Twitter @Skeletorkeys

Thanks for reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store