Defencely Website vulnerable to Non Persistent XSS

Security Researcher Vedachala has discovered a post based Cross site Scripting vulnerability in the Defencely website - A company that provides web application penetration testing service.

The main page of the Defencely allows user to enter their website to get a security report.  The form gets the input and pass the website address as "website_url" parameter to "".

"If a web application is getting user's input, it is always better to double check and make sure the parameter is sanitized." 

Post based xss in Defencely

Veda has identified that "website_url" parameter is not sanitized and vulnerable to post request based XSS.  He successfully managed to get the injected-script executed.

In one of the facebook group related to Security , the researcher provided the proof-of-concept(You can also find the details at  We have successfully verified the vulnerability.  At the time of writing, the website is still vulnerable.

 Another Security Researcher named QuisterTow has discovered one more xss Vulnerability in the Defencely website.

The researcher provided the following POC in the pastebin(

At the time of writing, we are still able to reproduce the vulnerability.
Category: / / /

Share this with Your friends: