Thursday, January 31, 2013

FOUND A VULNERABILITY IN AIRTEL WEBSITE

A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)

The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.


When you enter the this code in the username field with any password , it results in XSS :

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.

Recently,  I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and  reported to them.  It seems like they neither reply nor patch the vulnerability

The POC code for my finding:

http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/reach+airtel/PG_FY_MB_Prepaid_ReachAirtel/?page=cs_m&CIRCLE=2&CIRCLENAME="><script>alert("BreakTheSec")</script>


45 comments:

  1. Hello, after reading this remarkable piece of writing i am too cheerful
    to share my familiarity here with colleagues.
    My web site - wonder

    ReplyDelete
  2. Good way of describing, and good article to obtain data about my
    presentation focus, which i am going to present
    in university.

    Feel free to surf to my web site league of legends riot points hack rp lol hacks ip champions money gold coins level exp cheat hacking legend free download 2010 august infinite generator vip poits
    my website :: bsnl hack

    ReplyDelete
  3. fantastic points altogether, you simply gained a new reader.

    What could you recommend about your post that you just made some days
    in the past? Any sure?

    Feel free to surf to my blog post :: minecraft beta

    ReplyDelete
  4. I wanted to thank you for this great read!! I absolutely loved every little bit of it.
    I've got you book marked to look at new stuff you post…

    My web-site: Bypass Sharecash Surveys

    ReplyDelete
  5. Hey There. I found your weblog the usage of msn. That is an extremely well written article.
    I will make sure to bookmark it and come back to read extra of your helpful info.
    Thank you for the post. I'll certainly return.

    Feel free to surf to my web blog adfly

    ReplyDelete
  6. Simply desire to say your article is as astounding.
    The clearness in your post is simply excellent and i can assume you're an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please carry on the gratifying work.

    Look into my blog: minecraft beta

    ReplyDelete
  7. I really like your writing style, superb info, thank you for
    putting up :D. "All words are pegs to hang ideas on." by Henry Ward Beecher.



    Here is my site; ps3 Free

    ReplyDelete
  8. hey there and thank you for your information – I have certainly picked up something new from right here.
    I did however expertise several technical issues using this site, since I experienced to reload the web site many
    times previous to I could get it to load properly.
    I had been wondering if your web hosting is OK?
    Not that I am complaining, but sluggish loading instances
    times will sometimes affect your placement in google and can damage
    your quality score if ads and marketing with Adwords.
    Well I'm adding this RSS to my e-mail and could look out for much more of your respective intriguing content. Make sure you update this again soon.

    Look into my blog: making money from home

    ReplyDelete
  9. I am extremely inspired together with your writing skills as neatly as with the structure on your weblog.

    Is this a paid subject or did you customize it your self?

    Either way stay up the nice high quality writing, it's rare to peer a nice blog like this one nowadays..

    my weblog lost password

    ReplyDelete
  10. I will immediately grasp your rss feed as I can't to find your email subscription hyperlink or newsletter service. Do you've any?
    Please permit me recognise so that I could subscribe. Thanks.


    my webpage miscrits of volcano island unlock all hack

    ReplyDelete
  11. It's actually a cool and helpful piece of information. I am satisfied that you simply shared this helpful information with us. Please stay us up to date like this. Thanks for sharing.

    Feel free to surf to my website: aimbot.net

    ReplyDelete
  12. I do trust all of the ideas you've offered for your post. They are very convincing and will definitely work. Nonetheless, the posts are too brief for novices. May you please prolong them a little from next time? Thank you for the post.

    Also visit my page :: adfocus bot

    ReplyDelete
  13. I think the admin of this website is really working
    hard in favor of his site, since here every material is quality based data.


    My web-site: breed a gold dragon

    ReplyDelete
  14. We're a group of volunteers and starting a new scheme in our community. Your website provided us with valuable info to work on. You've done a formidable job and our entire community will be grateful
    to you.

    My web-site - hack twitter account

    ReplyDelete
  15. The organization may well not be one among the
    leading brand names for coronary heart charge monitors, but thanks to some remarkable innovation, the business is obtaining
    outstanding recognition with some in their systems.

    Stop by my blog; adjustable dumbbells

    ReplyDelete
  16. Appreciate the recommendation. Will try it out.

    Here is my blog miscrits locations

    ReplyDelete
  17. I've recently started a blog, the information you provide on this web site has helped me greatly. Thanks for all of your time & work.

    my site ... 1.6 hack

    ReplyDelete
  18. Spot on with this write-up, I absolutely
    believe that this web site needs much more attention.
    I'll probably be back again to see more, thanks for the advice!

    Also visit my website :: premium minecraft

    ReplyDelete
  19. hello!,I love your writing so a lot! proportion we communicate more approximately your post on AOL?
    I require an expert in this space to resolve
    my problem. Maybe that's you! Taking a look ahead to look you.

    My homepage how to make cash with GPT websites

    ReplyDelete
  20. This is very interesting, You're an overly skilled blogger. I have joined your rss feed and look ahead to in the hunt for more of your excellent post. Additionally, I've shared your
    website in my social networks

    Here is my site Working Sharecash Downloader 2013

    ReplyDelete
  21. I've been browsing on-line greater than 3 hours today, but I by no means discovered any attention-grabbing article like yours. It's pretty price sufficient
    for me. In my opinion, if all webmasters and bloggers made just right content material as you probably did, the web
    will likely be much more helpful than ever before.


    my site - virtual currency

    ReplyDelete
  22. Quality articles or reviews is the key to interest the viewers
    to pay a visit the web page, that's what this web site is providing.

    Look at my web page :: adfoc.us

    ReplyDelete
  23. Paragraph writing is also a fun, if you be familiar with then you can write or else it is complicated to write.


    My site: easy money

    ReplyDelete
  24. Cool blog! Is your theme custom made or did you download
    it from somewhere? A theme like yours with a few simple tweeks would really make my blog jump out.
    Please let me know where you got your theme. Many thanks

    Also visit my web site; manga games

    ReplyDelete
  25. Hey there! Someone in my Myspace group shared this site with us so I came to take a look.
    I'm definitely enjoying the information. I'm book-marking and will
    be tweeting this to my followers! Terrific blog and excellent design and style.



    my web blog: Best GPT Site

    ReplyDelete
  26. So what is definitely the most effective recommendations for weight loss?


    my homepage: mouse click the following web site

    ReplyDelete
  27. I visited multiple blogs except the audio quality for
    audio songs present at this web site is actually fabulous.


    Check out my web blog: castlevilee

    ReplyDelete
  28. I really appreciate this post. I have been looking all over for this!
    Thank goodness I found it on Bing. You have made
    my day! Thank you again!

    Feel free to visit my weblog: hack fileice

    ReplyDelete
  29. This is very attention-grabbing, You're a very professional blogger. I've joined your
    feed and look forward to in the hunt for extra of your wonderful post.
    Also, I've shared your website in my social networks

    Also visit my blog: Primitive and easy to crack passwords common in the UAE

    ReplyDelete
  30. My brother recommended I might like this blog. He was totally right.

    This post actually made my day. You cann't imagine simply how much time I had spent for this information! Thanks!

    Look into my web-site Aimbot.Net

    ReplyDelete
  31. This can be meant to supply you with a simpler training session than body weight lifting mainly because
    of the swift muscle contractions.

    Here is my webpage: just click the following webpage

    ReplyDelete
  32. Hi there, just became aware of your blog through Google, and found that it is truly informative.
    I am going to watch out for brussels. I'll appreciate if you continue this in future. A lot of people will be benefited from your writing. Cheers!

    My website ... twitter password reset

    ReplyDelete
  33. Nice post. I used to be checking constantly this weblog and I am
    inspired! Very useful info particularly the remaining phase :) I handle
    such information a lot. I used to be seeking this particular information for a very lengthy time.
    Thanks and best of luck.

    Also visit my web-site - sexy games

    ReplyDelete
  34. I'm not sure where you're getting your information, but good
    topic. I needs to spend some time learning more or understanding more.

    Thanks for excellent info I was looking for this information for my mission.


    Here is my site; DragonVale Cheats (IPhone - IPod) - Chapter Cheats

    ReplyDelete
  35. With havin so much written content do you ever run into any problems of
    plagorism or copyright violation? My blog has a lot of unique content I've either authored myself or outsourced but it looks like a lot of it is popping it up all over the web without my permission. Do you know any methods to help reduce content from being stolen? I'd
    really appreciate it.

    my blog - email program

    ReplyDelete
  36. I like the valuable info you supply for your articles. I'll bookmark your weblog and take a look at once more right here regularly. I am rather sure I will learn lots of new stuff right here! Best of luck for the following!

    Feel free to surf to my web site; Primitive and easy to crack passwords common in the UAE

    ReplyDelete
  37. Let me introduce you all to this wonderful product named http://www.
    sharecash-bypass.tk Ubers AIO Downloader. You guys might be thinking that what this tool
    is doing on a Sharecash Downloader website and that
    this is all different, well, but no. After successfully running Sharecash Downloader of mine for 2-3 months, I decided to make something more unique and useful to you guys, so I came up
    with my AIO Downloader. The speciality of this downloader is that it downloads almost from all
    file-hosters along with Sharecash, Fileace and Dengee.

    ReplyDelete
  38. I recently had a 15 pound dumbbell sitting about the counter in my cooking area
    although I had been undertaking a little something else, as
    I often choose to workout there.

    Also visit my page ... lifecore dumbbells

    ReplyDelete
  39. If you want a Premium Minecraft Account check out this generator.

    With it you can generate a unique Minecraft Premium Account which no
    one else has! You can Download the Free Premium Minecraft Account Generator http:
    //www.minecraftdownload2013.tk

    Good way of explaining, and good article to get data on the topic of
    my presentation subject matter, which i am going
    to deliver in institution of higher education.

    ReplyDelete
  40. If you want a Premium Minecraft Account check out this generator.
    With it you can generate a unique Minecraft Premium Account which no one else has!
    You can Download the Free Premium Minecraft Account Generator
    http://www.MinecraftDownload4Free.tk

    What's up mates, how is all, and what you want to say regarding this post, in my view its genuinely remarkable in support of me.

    ReplyDelete
  41. I visited several blogs except the audio quality for audio
    songs current at this web page is in fact fabulous.


    my weblog; complete offers for cash

    ReplyDelete
  42. Hello There. I discovered your weblog the use of msn.
    That is a very smartly written article. I will make
    sure to bookmark it and come back to read extra of your useful info.
    Thank you for the post. I'll certainly return.

    Here is my blog post: sharecash survey

    ReplyDelete
  43. Hiya! Quick question that's totally off topic. Do you know how to make your site mobile friendly? My weblog looks weird when browsing from my iphone. I'm trying to find a template or plugin that might be able to
    fix this problem. If you have any suggestions, please share.
    Many thanks!

    Feel free to visit my weblog; Car Town Hacks And Tricks

    ReplyDelete
  44. Ahaa, its nice dialogue regarding this paragraph at this place at this webpage, I have read all that, so at this time me
    also commenting at this place.

    My web site; miscrits hack

    ReplyDelete
  45. Does your site have a contact page? I'm having problems locating it but, I'd like to shoot you
    an email. I've got some suggestions for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it improve over time.

    Here is my site - angry birds lösung

    ReplyDelete