|
|
|
|
|
|
by HiJon89
2303 days ago
|
|
|
For #5 I believe it's not just a self-XSS, but also executes on the support agents browser, allowing you to potentially exfiltrate their cookies: > Anyone can write malicious code into the chatbox and PayPal’s system would execute it. Using the right payload, a scammer can capture customer support agent session cookies and access their account. |
|
|
For example, under example quality reports, POCs are provided
https://hackerone.com/reports/32825
https://docs.hackerone.com/programs/quality-reports.html