Recently a 15 year old tech blogger and security researcher named Indrajeet bhuyan found and helped fix a XSS vulnerability in Photobucket.
Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.
He had previously found vulnerabilities in Samsung, Disqus, NDTV, Jabong, IIT Bombay and many others.
Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.
Recently, EHN received a news report from Tunisian Cyber Army and Al Qaida Electronic Army in which the hackers claimed to have infected the Pentagon administrator, as part of their on going operation called "#opBlackSummer".
The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil).
POC:
g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script>
The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them.
Hackers said they compromised some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers.
At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them.
In another mail, the team said the have hacked the state.gov with SQL injection vulnerability.
The attack was happened after hackers identified a reflected cross site scripting(XSS) vulnerability in one of the sub domain of Pentagon (g1arng.army.pentagon.mil).
POC:
g1arng.army.pentagon.mil/Programs/Pages/Default.aspx?Category="><script>alert("xss by tca and AQECA on pentagon")</script>
 |
| xss vulnerability |
The hacker managed to exploit this vulnerability for sending malicious payload to the admin of Pentagon. Hackers claims that they got success in infecting them.
Hackers said they compromised some important file and steal cookies from the pentagon mail. The security breach was done with collaboration with Chinese hackers.
At the time of writing, the vulnerability is not fixed. If the TCA claim is true, then this one will be the best example that demonstrate the severity of simple reflected xss. Yesterday, i have sent notification to Pentagon team about the vulnerability but there is no response from them.
In another mail, the team said the have hacked the state.gov with SQL injection vulnerability.
An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.
The title field is vulnerable to Persistent Cross site scripting. The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.
Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.
The title is being sanitized every time it is being displayed in the page. Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.
POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-
The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.
The researcher claimed to have contacted the Zendesk but there is response from their side. I've also sent notification to Zendesk.
The title field is vulnerable to Persistent Cross site scripting. The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.
Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.
The title is being sanitized every time it is being displayed in the page. Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.
POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-
The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.
The researcher claimed to have contacted the Zendesk but there is response from their side. I've also sent notification to Zendesk.
A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.
Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.
POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>
The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.
POC [Unfixed] :
http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>
Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN etc.
An 17 Years Old Security researcher Researcher V3d@ch4La From Indian Cub3r Dev!Ls, has discovered a non-persistent XSS security flaw in the official website of IBN(ibnlive.in.com) .
Cable News Network-Indian Broadcasting Network (CNN-IBN) is an English-language Indian television news channel. The network is a partnership between Global Broadcast News (GBN) and Turner International (Turner) in India (a subsidiary of Time Warner).
POC:Cable News Network-Indian Broadcasting Network (CNN-IBN) is an English-language Indian television news channel. The network is a partnership between Global Broadcast News (GBN) and Turner International (Turner) in India (a subsidiary of Time Warner).
http://ibnlive.in.com/searcher/search.php?searchq=\"><script>alert(/ E Hacking News/)</script>
An Information Security researcher has discovered multiple Cross Site scripting vulnerability that affects one of the Top News channel website, CNN.
Few days back, The vulnerability was reported by Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.
POC:
1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>
2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3
3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>
While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.
POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp
I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.
Few days back, The vulnerability was reported by Quister Tow. The vulnerabilities resides in three different sub domain of CNN: searchapp.cnn.com, audience.cnn.com,dynamic.si.cnn.com.
POC:
1.http://dynamic.si.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp?searchName=<script>alert(/QuisterTow/)</script>
2.http://searchapp.cnn.com/weboffers/weboffers.jsp?itype=cnn&cid=cnn&text=&domains=;</script><script>alert(/QuisterTow/);</script>&csiID=csi3
3.http://audience.cnn.com/services/si/flow/scoreAlertManagement?_flowExecutionKey=<script>alert(/QuisterTow/)</script>
While i was verifying the XSS vulnerabilities, i found another critical security flaw in the website that expose the source code.
POC for JSP Source Code disclosure
http://sportsillustrated.cnn.com/baseball/mlb/search/mlbPlayerSearchResults.jsp
I have immediately reported CNN about the security flaw. But there is no response from their side and so i am publishing the details here.
A Security Researcher kuksool from n0careteam, has identified Cross site scripting security flaw in two famous websites, Photobucket and SecurityXploded.
POC for photobucket [unfixed]:
*Load http://photobucket.com/plugin/search
* Enter the following code and hit enter:
" onload=alert('xss!')>click me!"
POC for SecurityXploded [FIXED]:
*Load http://securityxploded.com
* Enter the following code and hit enter:
" onload=alert('xss!')>click me!"
The researcher claimed to have reported to PhotoBucket team. Let us hope they will fix the vulnerability soon.
After i sent notification to SecurityXploded, they fixed the vulnerability immediately.
POC for photobucket [unfixed]:
*Load http://photobucket.com/plugin/search
* Enter the following code and hit enter:
" onload=alert('xss!')>click me!"
POC for SecurityXploded [FIXED]:
*Load http://securityxploded.com
* Enter the following code and hit enter:
" onload=alert('xss!')>click me!"
The researcher claimed to have reported to PhotoBucket team. Let us hope they will fix the vulnerability soon.
After i sent notification to SecurityXploded, they fixed the vulnerability immediately.
Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.
There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain. The vulnerability is click based xss . When i click the flash, it will display the xss code.
Poc code:
http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);
The above finding is really interesting one. Just load the url and click in the flash content and it results in the code being executed.
At the time of writing, the vulnerability is still there .
Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.
There are two SQL Injection vulnerability in the website. One of the vulnerabilities resides in the Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7). A malicious hacker can exploit this vulnerability and extract the database .
The other one is more critical one , it allows hackers to bypass authentication of the Login . A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.
There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) . Injecting the follow code in the fields and clicking the submit button executes the injected code:
"><script>alert('My Love For Divya Dutta')</script>
Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query. It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.
I think she will respond after some blackhats attack the site, what do you think guys?
*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:
"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."
A security Researcher Shikhil Sharma has identified a Non persistent Cross Site scripting vulnerability in one of the Leading online jobs search portal, Monster.
Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.
The Job search field in the Monster India website(jobsearch.monsterindia.com) is found to be vulnerable to the XSS injection.
POC:
http://jobsearch.monsterindia.com/searchresult.html?fts='/><script>alert('E+Hacking+News')</script>&x=0&y=0&mne=&mxe=The same vulnerability affects the Hong Kong(jobsearch.monster.com.hk) and Gulf(jobsearch.monstergulf.com) branch of the Monster job portal.
An Information Security Researcher with online handle 'TheR00tC0de' has identified two cross site scripting vulnerabilities in one of the famous file hosting service website , Mediafire (www.mediafire.com).
In an email Sent to EHN, the researcher provided the two vulnerable link that executes the code injected by hacker.
The researcher claimed that he sent notification about the vulnerability to Mediafire Team and waiting for their response. The researcher asked me not to publish the vulnerable link.
At EHN, I have confirmed those vulnerabilities. Let us hope the Mediafire security team will soon fix the vulnerability.
Recently, one of the E Hacking News reader Mahadev Subedi identified a XSS vulnerability in the File Uploading service of Mediafire .
In an email Sent to EHN, the researcher provided the two vulnerable link that executes the code injected by hacker.
 |
| Xss vulnerability in Mediafire |
The researcher claimed that he sent notification about the vulnerability to Mediafire Team and waiting for their response. The researcher asked me not to publish the vulnerable link.
At EHN, I have confirmed those vulnerabilities. Let us hope the Mediafire security team will soon fix the vulnerability.
Recently, one of the E Hacking News reader Mahadev Subedi identified a XSS vulnerability in the File Uploading service of Mediafire .
Narendra found that the Search Query field in the Webpage of the brothersoft.com is vulnerable to XSS attack.
BrotherSoft Providing worldwide customers as among the top 5 leading software download websites. Over 250,000 freeware and shareware are for free download which covers 7 channels including Windows, Mac, Mobile, etc. There are more than 10,00,000 downloads every day on their site.
POC code :
http://search.brothersoft.com/index.php?stype=windows&keyword="><script>alert("XSS")</script>
The site also allows users to inject the iframe code:
http://search.brothersoft.com/index.php?stype=windows&keyword="/><iframe+src="http://www.indiaresults.com/"+width=1000+height=1000></iframe>
He Also notice that Privacy Poliocy Page Of BrotherSoft is also vulnerable to XSS Narendra claimed that he reported about vulnerability 4 Days Ago to BrotherSoft but they failed to respond.
One of the Top free web hosting provider, 000WebHost website is found to be vulnerable to Cross site scripting . The vulnerability was discovered by the Cyber Security Researcher Vedachala.
Domain name,Subdomain name and email address field in "Order Free Web Hosting" page of the site (000webhost.com) are vulnerable to xss injection.
The web app developer of this site fails to validate those inputs for the special characters that results in this security flaw.
POC code for this security bug:
http://www.000webhost.com/order.php?domain=\"><script>alert(/e hacking news/)</script>&subdomain=\"><script>alert(/e hacking news/)</scrip&name=\"><script>alert(/E Hacking News/)</script>&email=\"><script>alert(/e hacking news/)</script>&pass1=\"><script>alert(/E Hacking New&pass2=\"><script>alert(/E Hacking New&aggree=yes&error_multiple=1&error_domain=1&error_subdomain=1&error_name=&error_email=1&error_pass=4&error_tos=&error_number=&error_js=&error_disposable=&error_bad_gmail=
The researcher also recently found a reflected xss vulnerability in the Airtel website.
An Information Security Expert, Narendra Chavda From Ahmedabad Gujarat, has discovered a non-persistent XSS security flaw in the official website of WhatsApp.
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
Narendra found that the Search Query field in the FAQ webpage of the whatsapp.com is vulnerable to XSS attack.
When an attacker visits "www.whatsapp.com/faq/" and enter the xss code in the field , it successfully executes the entered script.
POC code :
www.whatsapp.com/faq/search/?q=<script>alert("E Hacking News")</script>The site also allows users to inject the iframe code:
http://www.whatsapp.com/faq/search/?q=<iframe src="http://www.ehackingnews.com/"height="1000px"width="1000px">
Aegis group is manufacturing and services sectors of steel, energy, power, communications, shipping ports and logistics, and construction and also he have many BPO centre in india of call centre like TATA DOCOMO
The vulnerability exists in the Search field of the website. Injecting the xss code in the Search box will execute successfully the injected code.
For instance, injecting the following code in the search box will display the alert box:
"><script>alert("E Hacking News")</script>
Narendra also found that the field allows user to run the iframe code also. So , possibly, a hacker can inject phishing page to scam innocent visitors.
"/><iframe src="http://www.google.com" width=1000 height=1000></iframe>
A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)
The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.
When you enter the this code in the username field with any password , it results in XSS :
The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.
Recently, I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and reported to them. It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.
The POC code for my finding:
The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.
Recently, I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and reported to them. It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.
The POC code for my finding:
http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/reach+airtel/PG_FY_MB_Prepaid_ReachAirtel/?page=cs_m&CIRCLE=2&CIRCLENAME="><script>alert("BreakTheSec")</script>
The hackers who recently defaced Top level Domains of Turkmenistan by exploiting the vulnerability in NIC.tm, has discovered another vulnerability in the website.
They found that the few NIC websites uses the vulnerable version of Apache server(version 1.3.33) . The version has a security flaw that exists in the handling of invalid Expect headers. Modifying the Expect header value to XSS code results in Cross site scripting attack.
GET / HTTP/1.1
Expect: <script>alert("E Hacking News")</script>
Host: nic.tm
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
 |
| Expect Header xss attack |
The vulnerability affects four NIC websites : www.nic.ac, www.nic.tm ,www.nic.io,www.nic.sh.
There is another important security flaw in the Apache server : Mod_rewrite which is vulnerable to buffer overflow(Vulnerability Details).
A Security Researcher from crackhackforum.com, Rynaldo, has discovered multiple Vulnerabilities in one of the Biggest Antivirus company called "BitDefender".
The researcher claimed that he sent several emails to BitDenfender's team, butthey haven't responded nor fixed the vulnerabilities neither.
"The website is having several reflected XXS vulnerabilities and the CSRF
vulnerability. Also I have found a way to cause DOS attack on the local
server to take BitDefender temporarely down." Rynaldo said.
CSRF attack : https://my.bitdefender.com/en_us/my/#page=account.index hacker is able to perform CSRF attack to change the details on the user's profile.CSRF tokens aren't implemented and password isn't required to change information on the profile.
XSS attack :
"my.bitdefender.com/en_
The researcher claimed that he sent several emails to BitDenfender's team, butthey haven't responded nor fixed the vulnerabilities neither.
"The website is having several reflected XXS vulnerabilities and the CSRF
vulnerability. Also I have found a way to cause DOS attack on the local
server to take BitDefender temporarely down." Rynaldo said.
CSRF attack : https://my.bitdefender.com/en_us/my/#page=account.index hacker is able to perform CSRF attack to change the details on the user's profile.CSRF tokens aren't implemented and password isn't required to change information on the profile.
 |
| Reflected XSS |
XSS attack :
"my.bitdefender.com/en_
An Indian Security Researcher , Suriya has discovered A reflected xss vulnerability in the AOL website, an American global brand company that develops, grows, and invests in brands and web sites.
Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.
According to Researcher, the vulnerability was discovered five months ago. He immediately tried to contact the AOL Security team. Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.
After few months, he published the vulnerability details in his own blog on October 2012. But the XSS vulnerability is still there and unfixed.
POC code for the AOL xss:
"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.
"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"
Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.
According to Researcher, the vulnerability was discovered five months ago. He immediately tried to contact the AOL Security team. Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.
 |
| AOL xss |
After few months, he published the vulnerability details in his own blog on October 2012. But the XSS vulnerability is still there and unfixed.
POC code for the AOL xss:
http://www.aol.com/?icid=';alert(String.fromCharCode(69, 32, 72, 97, 99, 107, 105, 110, 103, 32, 78, 101, 119, 115))//'POC code for the Dmoz:
http://www.dmoz.org/search?q="><script>alert("E Hacking News")</script>
 |
| Dmoz XSS |
"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.
"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"
An Information Security Researcher , Mahadev Subedi, from coolpokharacity.com has claimed to have discovered a Persistent Cross site scripting vulnerability in the Mediafire website(mediafire.com)
It seems like the vulnerability exists in the File uploading feature in the Mediafire. The developers fails to sanitize the file name of the uploaded file.
"Whenever we upload file names containing encoded or decoded malicious XSS codes, it results in Cross Site Scripting ." The researcher said in the email.
For instance, if you create a file name with this code and upload it , it results in xss:
It seems like the vulnerability exists in the File uploading feature in the Mediafire. The developers fails to sanitize the file name of the uploaded file.
 |
| Persistent xss vulnerability in Mediafire |
"Whenever we upload file names containing encoded or decoded malicious XSS codes, it results in Cross Site Scripting ." The researcher said in the email.
For instance, if you create a file name with this code and upload it , it results in xss:
"><img src=x onerror=alert(1)>.jpg.txtRecently A security Researcher Frans Rosén discovered similar kind of vulnerability in the DropBox .
