Describe the bug
In blackbox test mode success submitting a form is incorrectly interpreted as a vulnerability.
In report this explained as:
The X form on the homepage (POST X) accepts and stores raw HTML/JavaScript payloads in multiple fields (x, y) without any input sanitization or output encoding. When a store manager or admin views the submitted request in the admin panel, the stored XSS payload executes in their browser context.
The vulnerability was confirmed by successfully submitting a request with `<img src=x onerror=alert(...)>` payloads in the `x` and `y` fields. The server responded with HTTP 200 and a success message: "Z" (Request sent).
Tools could report only if vulnerability is confirmed (page with XSS available).
Describe the bug
In blackbox test mode success submitting a form is incorrectly interpreted as a vulnerability.
In report this explained as:
Tools could report only if vulnerability is confirmed (page with XSS available).