A security Researcher Shikhil Sharma has identified a Non persistent Cross Site scripting vulnerability in one of the Leading online jobs search portal, Monster.
Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.
The Job search field in the Monster India website(jobsearch.monsterindia.com) is found to be vulnerable to the XSS injection.
POC:
http://jobsearch.monsterindia.com/searchresult.html?fts='/><script>alert('E+Hacking+News')</script>&x=0&y=0&mne=&mxe=The same vulnerability affects the Hong Kong(jobsearch.monster.com.hk) and Gulf(jobsearch.monstergulf.com) branch of the Monster job portal.
One of the Top free web hosting provider, 000WebHost website is found to be vulnerable to Cross site scripting . The vulnerability was discovered by the Cyber Security Researcher Vedachala.
Domain name,Subdomain name and email address field in "Order Free Web Hosting" page of the site (000webhost.com) are vulnerable to xss injection.
The web app developer of this site fails to validate those inputs for the special characters that results in this security flaw.
POC code for this security bug:
http://www.000webhost.com/order.php?domain=\"><script>alert(/e hacking news/)</script>&subdomain=\"><script>alert(/e hacking news/)</scrip&name=\"><script>alert(/E Hacking News/)</script>&email=\"><script>alert(/e hacking news/)</script>&pass1=\"><script>alert(/E Hacking New&pass2=\"><script>alert(/E Hacking New&aggree=yes&error_multiple=1&error_domain=1&error_subdomain=1&error_name=&error_email=1&error_pass=4&error_tos=&error_number=&error_js=&error_disposable=&error_bad_gmail=
The researcher also recently found a reflected xss vulnerability in the Airtel website.
An Information Security Expert, Narendra Chavda From Ahmedabad Gujarat, has discovered a non-persistent XSS security flaw in the official website of WhatsApp.
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
www.whatsapp.com/faq/search/?q=<script>alert("E Hacking News")</script>The site also allows users to inject the iframe code:
http://www.whatsapp.com/faq/search/?q=<iframe src="http://www.ehackingnews.com/"height="1000px"width="1000px">
A Security Researcher and Bug Hunter , Rafay Baloch has discovered a Non-Persistent Cross Site Scripting vulnerability in the websites belong to Internet Security giants : Mcafee and Symantec.
The download parameter in the Product Advisory Council sub-domain of McAfee(portal.mcafee.com) is found to be vulnerable to xss attack.
Researcher claimed that he notified McAfee about the xss vulnerability several times but they refused to fix.
 |
| McAfee xss |
 |
| Reflected xss in Symantec |
Few weeks before, he discovered xss in Storage Foundation DocCentral sub domain of Symantec(sfdoccentral.symantec.com) and sent notification to them. Symantec immediately fixed the vulnerability but McAfee fails to.
At the time of writing, The vulnerability is not yet patched.
