An 21 Years Old Information Security Expert, Narendra Bhati From Sheogan Rajasthan ,Who recently find Non Persistent XSS In Brother Soft Aircel & MTS Mobile And SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shane Warne
Narendra Want To Say That “Maa, Papa And Bhayya One Day I Will Make You Proud On Me”
Narendra found that the Search Query field in the Webpage of the www.shanewarne.com is vulnerable to XSS attack.
Shane’s world class talents have been recognized through a number of distinguished awards, including being named one of only five Wisden’s Cricketers of the 20th Century, in Australia’s Cricket Team of the 20th Century, BBC Sports Personality of the Year in 2005, and Victoria’s Greatest Ever Sportsman in 2002. In 2011 Shane was honored with the unveiling of a bronze statue of him at the Melbourne Cricket Ground, and in early 2012 was inducted into the Australian Cricket Hall of Fame.
When an attacker visits "www.shanewarne.com " and enter the xss code in the field , it successfully executes the entered script.
POC code :
http://www.shanewarne.com/search/content?q=<script>alert("E+Hacking+News")</script>
The site also allows users to inject the iframe code:
http://www.shanewarne.com/search/content?q="/><iframe+src="http://www.ehackingnews.com"+width=1000+height=1000></iframe>
Narendra also successfully in redirection that sharn warne website to another website. After 5 seconds of loading of website the page going to redirect to inouted website. So its easy for the attacker to redirect to a phishing website or another website to make target to innocent user and steal them credentials.. ;-)
POC Code
http://www.shanewarne.com/search/content?q=<meta+http-equiv="refresh"+content="2;url=http://www.google.com/">
