XSS through javascript injection in Speed-Bit Search Engine

There is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.


In Media:
The Hackers News:
Softpedia News:

Technical Description of this Issue:
The XXS filter is filtering normal html /script /iframe tags but XXS can be achieved by injecting JavaScript event "onmouseover()".

Proof of concept:
To exploit this vulnerabilty follwthis steps:

1) Visit this URL

http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie)

2) Bring mouse cursor over the hyperlink shown in the attached POC! and you should see a POP up box showing the browser cookies.

The search engine might not be as popular as Google, but a large number of users could be affected if a black hat would profit from the flaw.


Post a Comment