Hey Snapdeal – You’ve got a XSS vulnerability [Fixed]

Standard

Update: Got a mail from snapdeal security team, and this vulnerability has been fixed.
I just found a XSS vulnerability on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS pattern, because searching for a string containing some  javascript functions such as “alert(” or “String.fromCharCode(“, were throwing “Access Denied” page. Though, the search string containing “eval(” wasn’t throwing any error.

snapdeal-xss-access-denied

Snapdeal XSS Access-Denied

I analyzed the source of the results page and, at one place, inside a javascript code, search string was getting echoed without any sanitization. After a couple of tries, I found the XSS pattern:

';return obj;})();var str='ale'+'rt("'+'XSS ;-)")';eval(str);</script>

This pattern has mainly three parts:

First part (in blue) completes the original javascript function. This makes sure that the javascript code written after it, will run without any errors.

Second part (in red), is just a concatenated string alert(“XSS ;-)”) stored in a variable called str. I concatenated the string because of the constraint mentioned in the first paragraph.

Third part (in green),  evaluates and executes the string stored in variable str as javascript code, which displays an alert box. </script> just closes the script tag. Try searching for the XSS pattern in snapdeal’s search box and you can see the alert box.

Snapdeal XSS

Snapdeal XSS

To further read about how a XSS vulnerability can be exploited, go through my two posts mentioned below.

Leave a Reply

Your email address will not be published. Required fields are marked *