Hey Snapdeal – You’ve got a XSS vulnerability [Fixed]

Standard

Update: Got a mail from snapdeal security team, and this vulnerability has been fixed.
I just found a XSS vulnerability on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS pattern, because searching for a string containing some ¬†javascript functions such as “alert(” or “String.fromCharCode(“, were throwing “Access Denied” page. Though, the search string containing “eval(” wasn’t throwing any error.

snapdeal-xss-access-denied

Snapdeal XSS Access-Denied

Continue reading