/ iwsp

IWSP Week 12

Worked on #gj1TG this week.

Found stored XSS vulnerability on a few places of the system. The application also caches the password in the browser in plaintext which was very interesting to find.

However, I missed out 1 vulnerability which was the ability to change the amount to be paid. This is because I missed out the last part of a multi-part process.

Request -> confirm -> pay

I've tested the request -> confirm portion but forgot to test confirm -> pay. Learnt to be more thorough in the future. Especially when it comes to transaction.