Recently I installed a software which changed my default search of firefox to Babylon search. It is a popular search engine and ranks high in alexa. The search engine can be reached at http://search.babylon.com/home
The search engine is vulnerable to a perticular type of XSS attack. Since no one has ever reported about a vulnerability in this search engine so I can take the credit
The search engine can be XSSed by first adding a normal string at the beginning and then add the script. Since the search engine has implemented XSS filtering so it can be bypassed by crafting a different vector.
Notice the search term that I have used here. On executing the script, an alert box will be displayed notifying the successful execution of script.
Here is the complete vulnerable url :
http://search.babylon.com/?q=helloworld%3Cscript%3Ealert%28%27hackingalert%27%29%3B%3C%2Fscript%3Ehelloworld&babsrc=home&s=web&as=0&t=0
No comments:
Post a Comment