Open Redirect and Reflected XSS on 123ContactForm

WS201516 – Open Redirect and Reflected XSS on 123ContactForm
by David Sopas @dsopas


123ContactForm is a service developed by a young enthusiastic team located in Timisoara, Romania, EU. Founded in 2008, 123ContactForm has become a worldwide top class online form and survey builder.

When visiting a client of I noticed a strange request from their site.
What I found was a Open Redirect and XSS vulnerability that could be used by malicious users to forward victims to malicious sites, spread malware, phishing accounts and even hijack victims browsers.


Open Redirect



123ContactForm fixed this issue and put my name on their security acknowledgements list.


08 May 2015 – Sent the security issue to 123ContactForm
23 May 2015 – Reply from 123ContactForm telling that they are fixing it
26 Jun 2015 – 123ContactForm applied a fix
21 Jul 2015 – My name is added on their security acknowledgements list
22 Jul 2015 – Full disclosure

Achaste interessante? Partilha!