## Description
A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload.
This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included.
## Proof of Conept
1. Access the login portal located at /login
2. Submit login attempt and intercept the request
Example of unaltered request:
```
POST /user_login_submit HTTP/1.1
Host: <domain>
<--Headers Removed-->