Reflected XSS vulnerability affects Millions of sites hosted in HostMonster

Recently, We reported about the Reflected Cross Site scripting vulnerability in the HostGator India hosting site that affects millions of hosted sites. Today, Another Indian Security Researcher , Ramneek Sidhu , come with another interesting find.

Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster" ( Just like in the previous case, this Vulnerability affects all sites hosted in the HostMonster.

The vulnerability discovered in Subdomain of Hostmonster:"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src=" /" />
The vulnerability was reported to Aarshit Mittal by the Security Researcher.  Aarshit started to analyze the vulnerability and find few more interesting things. He discovered that each and every websites hosted in the Hostmonster vulnerable to Reflected XSS.

Find the list of sites hosted in Hostmonster.  You can do this by searching for "Ip:ip:" in Bing.  This single IP search gives 36,000 results.  All of those sites are affected by this security flaw.  For instance, let us take "".

The POC for this site is:"><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT>alert("Evolution of Revolution")</script><img src=" /" />
At EHN, i have just Analyzed the affected sites to know what cause this security flaw. It seems like this flaw occured when the developer try to display the ads in the 404 not found page.

There is a javascript code that generate ads.  Interestingly, the code uses referrer . The referrer is the current address.  Unfortunately, the developers fails to sanitize the url. This results in Reflected XSS.

Millions of sites hosted in Hostgator India vulnerable to Reflected XSS

HostGator is one of the leading Web hosting provider found to be vulnerable to Non-Persistent Cross Site scripting vulnerability.  The vulnerability was discovered by Indian Security Researcher "Manjot Gill". The finding was intially published in one of my Friend Aarshit Mittal Security News portal Cyber-N.

The Researcher Manjot discovered the vulnerability in Subdomain of Hostgator.  He also claimed that lot of sites hosted in Hostgator are vulnerable to.

Poc for the Subdomain XSS:"><script>alert("HACKED BY ICH ")</script>
Aarshit Mittal analyzed the finding and he discovered few more interesting things. 

Search for "", you will get more than 64,600 results. All of those subdomains are affected by this vulnerability. For Example take the first site from the result, "". It is affected by the XSS.

Also, you can search for the list of sites hosted by searching for the IP dork in Bing. For Instance , search for "ip:" in Bing will result the list of affected sites.

You can find the rest of vulnerable sites by changing the ip from "" to "".

Also the main domain is also affected by this vulnerability:"><script>alert(document.cookie)</script>

The affected sites are created and hosted via the IndiaGetOnline ( "Get India Business Online" is an initiative by Google that allows you to create a website for your business in 15 minutes, for free.  HostGator is providing you with hosting, their leading site building tool, and support.

All the sites created by Hostgator "Site building tool" are affected by this vulnerability because of the main "site building" site( itself affected by this security flaw.

Reflected-XSS Vulnerability in

A Security Researcher Adwiteeya Agrawal has discovered Non-persistent Cross site scripting(XSS) Security flaw in the is the web's leading platform for social change, empowering anyone, anywhere to start petitions that make a difference.

The vulnerability has been discovered in the Simple Search Form used in the website. The developer fails to validate the search keyword given by the user.

POC:✓&q=<script>alert("XSS By Adwiteeya Agrawal")</script>

Stored XSS vulnerability in Facebook and researcher got $3,500 Bug Bounty

A security Researcher Frans Rosén has discovered Cross Site Scripting vulnerability in Facebook and DropBox.

Initially , the researcher was working on finding security flaws on DropBox.  He noticed that when using their web interface there were some restrictions on what filenames that were allowed.  He tried to rename the file with '"><img src=x onerror=alert(document.domain)>.txt  But he got error message that some special characters are not allowed.

"But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems."The researcher explained in his blog. "Using this method I was able to find two issues with their notification messages showing unescaped filenames."

He notified DropBox about the vulnerability and they have successfully patched the flaw.

After some time, he noticed that there is connection between DropBox and Facebook. You can add files directly from DropBox to your Facebook groups. So he was curious to test the vulnerability in Facebook also.

In his Facebook group, he tried to add the previously uploaded file in the DropBox.  After he posted in the group, the xss attack didn't work.  But when he clicked the 'Share' link in the post, he got alert message.  Yes, Successfully, he managed to run the Script in Facebook.  The XSS also worked when he shared the crafted pin from the Pinterest.

Researcher got $3,500 USD bug bounty for notifying the vulnerability, facebook fixed the vulnerability now.

Vulnerability Lab discovered persistent XSS vulnerability in Paypal

vulnerability lab

The Vulnerability Laboratory Research Team discovered persistent web vulnerability in the official Paypal (core) ecommerce website content management system.

The security flaw allows remote attackers to implement/inject own malicious script code on the application side (persistent).

The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.

Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.

In an email sent to EHN, The Vulnerability has submitted the proof-of-concept for the security flaw. You can find the poc code here :

The name with the code was saved in the addressbook. Only the matching and successful result leads to the persistent execution of the web context.

When the other user is searching the existing account of the addressbook the code will be executed persistent out of the matching search result web context listing.

Few months after the vulnerability notified the Paypal , Paypal security team has successfully patched the vulnerability on December 11.

Cross site scripting Vulnerability in Adobe website

A Researcher has discovered Reflected Cross site scripting(XSS) vulnerability in the official website of Adobe Systems Incorporated and submitted the vulnerability to Secureless.

According to the researcher, the vulnerability has been reported few months ago but there is no response from Adobe.

The  '' found to be vulnerable to reflected or non-persistent XSS security flaw.  Researcher managed to execute the javascript by injecting the script in the month parameter.

adobe xss vulnerability

The Poc and exploit details has been archived here:
The vulnerability allows a cyber criminal to launch phishing attack , session hijacking, redirecting to malicious sites and more. At the time of writing, The vulnerability is still there.

*Update 1* Today, we got response from Adobe Security Team that they are researching the bug and will fix it soon.

*Update 2 * (12 Dec) The vulnerability has been fixed.

Tumblr worm spread due to unfixed Stored XSS vulnerability

tumblr worm xss

The day after Tumblr was hit by a "worm" that left many Tumblr websites defaced with an identical message by Internet troll group GNAA, a security researcher has confirmed there is Stored Cross site scripting vulnerability in Tumblr that allowed attackers to hack Tumblr.

According to Naked Security report, the worm appears to took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page.

According to some news report, the hackers behind the attack has warned Tumblr weeks ago about a vulnerability. But there is no response from Tumblr.

Tumblr XSS hack
Janne Ahlberg confirmed XSS vulnerability

"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid." Security researcher Janne Ahlberg confirmed the xss flaw in his blog post.

"A new Tumblr worm could still be possible. See analysis by @JanneFI: … Good example on how XSS vulns are not harmless." Mikko Hyppönen, CRO at F-Secure tweet reads.

*Update* Tumblr is still vulnerable to stored-XSS Read the updated post here 

[unfixed] Persistent XSS Vulnerability in Ebay

The Indian security researcher, Shubham Upadhyay with online handle Cyb3R_Shubh4M, has discovered a persistent cross site scripting vulnerability in eBay site.

In an email sent to, researcher explained the details of vulnerability. In order to exploit the vulnerability, attackers would need a seller account.Once login to seller account on eBay, the attacker would create a listing for sale where he put the XSS exploit code.

At the time of writing , the vulnerability is unfixed . Here is the page where he injected his code:

The mirror is available here:

According to the researcher, it also gets executed in the domain when logged in the seller acco

XSS Vulnerability found in Myspace,MTV,bank,Nasa,government,airline websites

XSS Vulnerability in high profile sites

A Hacker with a handle "human mind cracker" has discovered Cross site scripting vulnerability in high profile websites including government,bank , airline websites.

The list of affected sites includes isreal airline(, Myspace, MTV, Sweden government(, Bangladesh bank (, Nasa(

Other affected sites are Brown Universty(, afghanistan government(, Rome government(

All of them are reflected XSS Vulnerability.  Cyber criminals can exploit these vulnerability for their malicious purpose.  They can lure victims into clicking the crafted url that can redirect user to phishing or malware sites.

For example , injecting the following code will redirect user to Google from the vulnerable site:
Hackers can replace the with malicious url and redirect user to malware page.

He has posted the poc in the pastebin:

Besides the XSS vulnerability, he also discovered Cross site Request Forgery(CSRF) security flaw in the MTV and Sweden governement site, SQL Injection vulnerability in

Reflected XSS Vulnerability found in Verizon

Reflected Cross site scripting vulnerability has been found in Verizon by #Nullcrew.

The hacker tweeted the poc for the vulnerability

As usual, i have tested whether the vulnerability allows attacker to redirect to another site by injecting the following code:


It successfully redirects me to Google.  It means that an attacker can lure user into clicking the crafted link and redirects to any sites he want.  The attacker can hijack sessions and more.

Persistent XSS vulnerability in DELL

Nikhil Kulkarni, Security expert, has discovered Persistent Cross Site Scripting(XSS) security flaw in the official website of Dell. 

"The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be executed in the injected page."

The password hint field in the my account page of the found to be vulnerable to stored XSS attack.

Nikhil managed to inject his own javascript code in the password hint field.  Whenever he load the My account page, it executes the injected code.

Nikhil sent notification about the vulnerability to Dell Security Team.  The vulnerability has been fixed now. 

U.S Department of Transportation vulnerable to CSRF,SQLi and XSS

wiki boat brazil

The Hacker group called as 'The Wiki Boat Brazil' has discovered three critical vulnerabilities in the official websites of U.S Department of Transportation(

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request to the server. 

The site found to be vulnerable to Cross-site request forgery(CSRF) attack. The hackers provided us the POC for the CSRF attack. This vulnerability allows attackers CSRF to change user to admin , if admin user click the specially-crafted link .

They've also discovered SQL Injection vulnerability in the ITS Deployment Statistics sub domain of U.S. Department of Transportation (

Environmental Review Toolkit page( vulnerable to Non-persistent Cross site scripting(XSS) attack.

They've also leaked some data compromised from Federal Highway Administration(

Few days back, they have attacked the  Ministry of Finance and Federal Police sites in Brazil.

The details can be found here:

XSS vulnerabilities has been fixed in Firefox 16.0.2

Mozilla has released updated versions of Firefox, Thunderbird, SeaMonkey that close three critical vulnerabilities related to the Location object .

Vulnerability details:
The vulnerability allows attacker to use the valueOf method combined with some plugins to perform a XSS attack on users.

CheckURL function in window.location can be forced to return the wrong calling document and principal, results in XSS attack

Allow an outsider to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object

The vulnerabilities has been fixed in Firefox 16.0.2, Firefox ESR 10.0.10, Thunderbird 16.0.2, Thunderbird ESR 10.0.10 and SeaMonkey 2.13.2.

Persistent XSS Vulnerability in 160By2

Hi, I've discovered a persistent cross site scripting vulnerability in 160by2 website, a popular site used for sending SMS.

Today, while i'm sending message to one of my friend from 160by2, My Hacker mind started to work (after long time).  I insert a script instead of message. Successfully , the message has been sent to the receiver.

 The inserted script:

At the same time, 160by2 displayed the message send by me in the Sent Box.  Yeah, inserted-script is being executed and displayed the popup. 

Whenever i visit the Sent box, the popup is being displayed. In fact, the popup is being displayed in the main page also because of "LAST 5 MESSAGES SUMMARY" section in the home page.

I consider the risk level of this vulnerability as very very low because it only work when you logged in.  So, it won't help attackers to target victims.

XSS vulnerability found in Google "Translate foreign language" feature

A Security Researcher with handle "PandaSec" , have discovered Cross Site Scripting (XSS) vulnerability in the Google.

The "Translate foreign language" feature found to be vulnerable to Non-persistent xss attack.

The Researcher test the vulnerability in Firefox 14.0 , successfully exploit the vulnerability.  According to researcher statement, the older version's were not affected.

He immediately reported to google about the vulnerability. The Google has replied with the following message "Congratulations! This vulnerability is eligible for a reward of $500."

The vulnerability has been fixed now. 

StumbleUpon vulnerable to Reflected Cross site scripting

A security researcher, Rafay Baloch, has discovered Cross site scripting vulnerability in the StumbleUpon , One of the famous social bookmarking website with alexa rank of 149.

"Few days before, while i was hunting for vulnerabilities inside," Rafay said in his blog post. "Fiddler helped me obtain a non persistent XSS vulnerability inside stumbleupon"

He send notification about the vulnerability to StumbleUpon, however there is no response from other side.

"For security reasons i cannot disclose the URL and parameters for the injection, I hope stumbleupon fixes the vulnerability pretty soon." researcher said.

At the time of writing, the vulnerability is not patched and we are able to exploit the vulnerability.  In fact, i inject a redirection code that successfully redirects me to the given url.  So , an attacker can exploit this vulnerability for launching social engineering attack and redirect user to malicious site. Also it is possible to hijack session that allows attacker to take control of your stumble upon account.

Few days back, Rafay also discovered a redirection vulnerability in Facebook. 

Reflected XSS vulnerability in Abdul Kalam's Website

A Security Researcher from India, Girish Shrimali has discovered Cross site scripting vulnerability in the official website of an Indian scientist and administrator who served as the 11th President of India, A. P. J. Abdul Kalam.

The discovered XSS vulnerability is Reflected type, means non-persistent vulnerability and exploited via crafted url.

Normally, The Reflected  XSS are considered as low risk. Even thought the risk level is estimated as low, the attackers can redirect users to phishing or any other malicious sites.


SQL Injection and XSS vulnerability in

A grey-hat hacker has discovered Critical SQL injection and cross site scripting vulnerability in the official website of The U.S. Navy (

"Recently I was pentesting one of subdomains and found serious sql injection that allowed me to extract sensitive data from website database.Sql injection is located in post parameters of a form value.Attacker just needs to craft valid query and submit it to the server." the hacker wrote in an email.

SQLi vulnerability

He also discovered two xss vulnerabillites located on same subdomain , one is post xss and other is get xss , both reflective

"I have reported this to website security and I hope it will be resolved soon.After the fix I will disclose link locations on my blog" hacker said.

"Never trust user input." The hacker said as message to webmasters.

XSS vulnerability found in MasterCard site by nullcrew

The well-known hacker group NullCrew has discovered a non-persistent Cross Site scripting(XSS) vulnerability in official website of MasterCard. The subdomain "Mobile Payments Readiness( found to be vulnerable to XSS attack."><script>alert("NullCrew")</script>

Usually , the Non-persistent or reflected XSS are considered as low risk.  Even thought the risk level is estimated as low, the attackers can steal user accounts by social engineering attack.
For instance , A hacker can redirect victim to malicious or phishing sites by injecting redirection script in the url.  I have tested the redirection script,Successfully it redirects me to another site.

The above script redirects to google. An attacker can send the crafted-link and lure users into believe they are visiting legitimate master card site. But, in fact, they are being redirected to malicious site. 

NullCrew has also discovered XSS vulnerability on the Department of Homeland Security.

Tumblr patched the critical Persistent XSS vulnerability

A Security researcher, Riyaz Ahemed Walikar, has posted evidence of a serious persistent Cross Site Scripting(XSS) vulnerability on Tumblr, the popular microblogging platform.

XSS flaws are highly common on websites these days, but most of them are non-persistent and implicitly less dangerous.

"XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer," Researcher said in the blog post.

"Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page."

Researcher found vulnerability  on the 'Register Application' page at The application was not sanitizing user input when a user would create a new application. An XSS attack vector like tester "><img src='x' onerror="alert(document.cookie)"/> would trigger an alert box, displaying the user's cookie, in the browser.

Tumblr were notified more than three weeks ago on the issue. Finally, they fixed the vulnerability Today(july 14).

If you don't know what XSS is, you can read this article "Xss For Beginners".