Cross Site Scripting Vulnerability in Speed Bit Search Engine

Posted: November 10, 2011 in Vulnerabilities


Debasish Mandal, A hacker from India , Found that there is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.The XSS filter is filtering normal html /script /iframe tags but XSS can be achieved by injecting JavaScript event “onmouseover()”.Technical Description is below. Debasish have reported the vulnerability to the Speed Bit Team but haven’t yet got any response from their side.

Proof Of Concept:
1) Visit this URL http://search.speedbit.com/?aff=grbr” onmousemove=”alert(document.cookie)
2) Bring mouse cursor over the hyperlink shown in the image and you should see a POP up box showing the browser cookies.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s