An Information Security Expert, Narendra Chavda From Ahmedabad Gujarat, has discovered a non-persistent XSS security flaw in the official website of WhatsApp.
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
www.whatsapp.com/faq/search/?q=<script>alert("E Hacking News")</script>The site also allows users to inject the iframe code:
http://www.whatsapp.com/faq/search/?q=<iframe src="http://www.ehackingnews.com/"height="1000px"width="1000px">
