SQLi and XSS vulnerabilities in IPL website

###################################
# Website: www.iplt20.com
# (includes spoils from pulselive.com)
# Bug: XSS, and SQLi
# IPL T20 - Indian(or is it English) Premier League
# Date: 29.04.09
###################################

Vuln URL: hxxp://www.iplt20.com



Click here for SQLi demo

There were also 26 injectable spots other than this, and there's XSS in URI, Path, and Forms, can't post too many screenshots... you see ;)

What's more you can insert, update, and delete tables in their DB :))

Happy hunting, Cheers!

XSS in Imageshack

################################
# Website: http://www.imageshack.us
# Bug: XSS
# Date: 25.04.09
##############################

Vuln URL: hxxp://www.imageshack.us

Click here for XSS demo

Fix your input validation.

Cheers,
Kish

XSS in NSA's website

################################
# Website: http://www.nsa.gov
# National "Security" Agency - oh really ?!
# Bug: XSS
# Date: 27.03.09
##############################


Vuln URL: hxxp://www.nsa.gov

Click for the XSS demo

Fix input validation in your page... Please be true to your THREE Letter acronym ;)

Cheers :)
Kish

Fixed again... Good job AVG, ESET

AVG and ESET have fixed their respective XSS vulnerabilities, and it is good !

Full disclosure - We believe in it !

Cheers!

Advisory updates: Q1 2009 and a few more ...

Advisory updates, First Quarter, 2009, and a few from 2008.



DMOZ search's xss was found 2 months back... and NASA's XSS at Goddard space flight center, was exactly a month ago...

The other findings, from Myspace, AVG antivirus, and ESET antivirus websites, are also not fixed ... considering that these websites have a good user base, and are expected to fix quickly.

HSBC haven't fixed their bug just yet ... but it is obvious, they're a bank and they want money... not security ;)

The Indian government website, has removed the page having input sanitization problems, instead of fixing it... still not bad ... they've taken some measures to stay at bay ...

Cheers :)
Kish

XSS in AVG website

#########################################
# Website: http://www.avg.com
# Bug: XSS
# Date: 09.03.09
########################################

Vuln URL: hxxp://www.avg.com

Screenshot

Click here for the demo

The AV vendors have failed to secure their websites, and their saga of web bugs, ranging from sql injection, earlier demonstrated by Romanian hackers, to the XSS bugs we're demonstrating will continue...

Fix input validation in your pages, the page affected is their "license" page...

Cheers :)
Kish

XSS in Myspace

#########################################
# Website: http://www.myspace.com
# Bug: XSS
# Date: 09.03.09
########################################

Vuln URL: hxxp://www.myspace.com/Modules/PostTo/Pages/DefaultV1.aspx

Screenshot



Click here for XSS demo

Fix input validation in the page, social networks are my turf !

Cheers :)
Kish