Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Reflected Cross Site scripting. Show all posts

Cross Site scripting Vulnerability in Alexa Toolbar Search



A hacker named as kuksool from the hacker group "n0careteam" has discovered a Cross Site scripting vulnerability in the Alexa website -A California-based subsidiary company of Amazon.com that provides infromation about websites including Internet traffic stats, rank.

The vulnerability exists in the Alexa Toolbar search page(search.toolbars.alexa.com) - A custom search provided by Google.

If you have installed the toolbar in your browser & inject this script in the search box, it successfully executes the given script:

"><script>alert(" E Hacking News")</script>

Xss in Alexa Toolbar Search


POC:
http://search.toolbars.alexa.com/?q="><script>alert("+E+Hacking+News")</script>
Recently the same hacker group discovered XSS vulnerability in high profile websites including Russian and Malaysia Government sites, Music.com, New York Magazine.

Cross Site Scripting Vulnerability In Times of India and NDTV


A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

Non-persistent XSS vulnerability in IBNLive

An 17 Years Old Security researcher Researcher V3d@ch4La From Indian Cub3r Dev!Ls, has discovered a non-persistent XSS security flaw in the official website of IBN(ibnlive.in.com) .

Cable News Network-Indian Broadcasting Network (CNN-IBN) is an English-language Indian television news channel. The network is a partnership between Global Broadcast News (GBN) and Turner International (Turner) in India (a subsidiary of Time Warner).
POC:
http://ibnlive.in.com/searcher/search.php?searchq=\"><script>alert(/ E Hacking News/)</script>





Cross site scripting Vulnerability in Adobe website


A Researcher has discovered Reflected Cross site scripting(XSS) vulnerability in the official website of Adobe Systems Incorporated and submitted the vulnerability to Secureless.

According to the researcher, the vulnerability has been reported few months ago but there is no response from Adobe.

The  'adobe.com/events/main.jsp?month=' found to be vulnerable to reflected or non-persistent XSS security flaw.  Researcher managed to execute the javascript by injecting the script in the month parameter.

adobe xss vulnerability

The Poc and exploit details has been archived here:
http://secureless.org/vulnerability/2440/
The vulnerability allows a cyber criminal to launch phishing attack , session hijacking, redirecting to malicious sites and more. At the time of writing, The vulnerability is still there.

*Update 1* Today, we got response from Adobe Security Team that they are researching the bug and will fix it soon.

*Update 2 * (12 Dec) The vulnerability has been fixed.