Vivek Gupta

[...] XSS Locator code snippet. Voila!, an alert box popped up confirming my hunch. Click to see full-size image. For those who don’t know what XSS (Cross-site scripting) attack means, here’s an [...]

[...] returned by injected code (cookie-stealer.php). The code is self explanatory. It gets the cookie information via querystring, saves it to a text file and redirects back to koolkart. Step 2 – [...]

[...] attack, next steps were: Injecting a javascript snippet into the web page which steals the cookie information. Sending this cookie information to a remote server and storing it. Using this stored [...]

[...] a mail from snapdeal security team, and this vulnerability has been fixed. I just found a XSS vulnerability on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS [...]

[...] I was randomly browsing through shop.airtel.com and discovered a XSS vulnerability. This involves one of the simplest forms of XSS attack, known as end title tag attack. [...]

[...] Earlier, I demonstrated the XSS vulnerability in DealsAndYou (fixed) and now, I’ll demo a XSS bug on KoolKart.com. I’ [...]

[...] into the web page which steals the cookie information. Sending this cookie information to a remote server and storing it. Using this stored cookie information to login into the system without any [...]

[...] the javascript injection script. The above code gets the cookie and sends it to the remote server with cookie information as query string. Step 3 – Finding the XSS pattern. It took [...]

[...] on a very popular Indian e-commerce site snapdeal.com. It was a bit tricky to find the XSS pattern, because searching for a string containing some  javascript functions such as “alert( [...]

[...] it to the remote server with cookie information as query string. Step 3 – Finding the XSS pattern. It took me a couple of tries to find the vulnerable javascript code KoolKart. I realized that [...]

[...] I was going though few Indian e-commerce websites and found XSS vulnerabilities in few of them. I’m not publishing injection patterns due to security reasons. If [...]

[...] simple reason. The input wasn’t sanitized properly. 1.5 years ago, I found similar XSS vulnerabilities in Flipkart and infibeam as well. See the screenshots below. Click to see full- [...]

[...] script tags in the webpage itself, to detect if the file was blocked from loading: The above code snippet simply checks whether the variable was defined or not. If it wasn’t, it simply means [...]

[...] me do a XSS vulnerability test on their “Search” input box using the XSS Locator code snippet. Voila!, an alert box popped up confirming my hunch. Click to see full-size image. For those [...]

[...] value, it just redirects back to DealsAndYou. Nothing fancy. Step 2 – Writing the javascript injection script. The above javascript code is quite simple as well. It gets the cookie and redirects [...]

[...] , saves it to a text file and redirects back to koolkart. Step 2 – Writing the javascript injection script. The above code gets the cookie and sends it to the remote server with cookie [...]