There is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.
http://search.speedbit.com/
In Media:
The Hackers News:
http://www.thehackernews.com/2011/11/cross-site-scripting-vulnerability-in.html
Softpedia News:
http://news.softpedia.com/news/Indian-Hacker-Finds-Vulnerability-in-Speed-Bit-Search-Engine-233645.shtml
Technical Description of this Issue:
The XXS filter is filtering normal html /script /iframe tags but XXS can be achieved by injecting JavaScript event "onmouseover()".
Proof of concept:
To exploit this vulnerabilty follwthis steps:
1) Visit this URL
http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie)
2) Bring mouse cursor over the hyperlink shown in the attached POC! and you should see a POP up box showing the browser cookies.
The search engine might not be as popular as Google, but a large number of users could be affected if a black hat would profit from the flaw.
http://search.speedbit.com/
In Media:
The Hackers News:
http://www.thehackernews.com/2011/11/cross-site-scripting-vulnerability-in.html
Softpedia News:
http://news.softpedia.com/news/Indian-Hacker-Finds-Vulnerability-in-Speed-Bit-Search-Engine-233645.shtml
Technical Description of this Issue:
The XXS filter is filtering normal html /script /iframe tags but XXS can be achieved by injecting JavaScript event "onmouseover()".
Proof of concept:
To exploit this vulnerabilty follwthis steps:
1) Visit this URL
http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie)
2) Bring mouse cursor over the hyperlink shown in the attached POC! and you should see a POP up box showing the browser cookies.
The search engine might not be as popular as Google, but a large number of users could be affected if a black hat would profit from the flaw.
No comments:
Post a Comment