The exploit demonstrates two vulnerabilities in chatNow: a CSRF vulnerability in 'send_message.php' due to lack of token/referer checks, and a reflected XSS vulnerability in 'login.php' due to improper URL filtering. Both vulnerabilities are proven with functional attack code.
Classification
Working Poc 95%
Target:
chatNow (latest commit as of 2016-08-23)
No auth needed
Prerequisites:
Victim interaction for XSS (clicking a link or visiting a crafted URL) · For CSRF, victim must be authenticated in the target application