Update: Got a mail from snapdeal security team, and this vulnerability has been fixed.
I was randomly browsing through shop.airtel.com and discovered a XSS vulnerability. This involves one of the simplest forms of XSS attack, known as end title tag attack. This vulnerability is present in such web pages where the search string is directly put between title tags, without sanitizing it.
So, by simply closing the title tag and putting the script tag after it does the trick. I searched for the following in the search box on the page shop.airtel.com:
And there it was, the alert dialog box!!! (see screenshot below)
Note: This type of vulnerability is blocked by Google Chrome’s XSS auditor, so use firefox to test it.
Lately, I’ve seen a lot of people using ad block extensions/addons to block ads on the websites. Such extensions/addons reduce the clutter a bit, hence provide a better browsing experience to the user. But on the other hand, many sites solely depend on the ad revenues in order to keep them running.
In order to fix this problem, I quickly hacked a very tiny script which detects ad blocking extensions/addons. I’ve tested the script with AdBlock and AdBlock Plus extensions and it worked fine.
I was going though few Indian e-commerce websites and found XSS vulnerabilities in few of them. I’m not publishing injection patterns due to security reasons. If anyone from the companies listed below want to know the injection pattern for their respective websites, get in touch. Below is the list of websites which are vulnerable: