SupportDesk — Blind XSS via Contact Form

SupportDesk stores contact form submissions and renders them in an admin panel. The admin bot visits every 5 seconds. Inject a payload that calls back to your listener and steal the admin cookie.

Step-by-step walkthrough ↗

Inject a payload into the contact form that exfiltrates the admin cookie when the admin bot renders the submission in the admin panel.