Search This Blog

Powered by Blogger.

Blog Archive

Labels

Multiple Cross Site Scripting Vulnerability in Airtel website

A Security Researcher Vedachala has discovered a Post Request Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)
A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)

The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.

When you enter the this code in the username field with any password , it results in XSS :

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.

Recently,  I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and  reported to them.  It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.


The POC code for my finding:
http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/reach+airtel/PG_FY_MB_Prepaid_ReachAirtel/?page=cs_m&CIRCLE=2&CIRCLENAME="><script>alert("BreakTheSec")</script>
Share it:

Information Security News

Post Request XSS vulnerability

Vulnerability

XSS Vulnerability