XSS vulnerability in Babylon search ~ Hacking Alert

Saturday, December 3, 2011

XSS vulnerability in Babylon search

2:05 AM 11 comments

Recently I installed a software which changed my default search of firefox to Babylon search. It is a popular search engine and ranks high in alexa. The search engine can be reached at http://search.babylon.com/home

The search engine is vulnerable to a perticular type of XSS attack. Since no one has ever reported about a vulnerability in this search engine so I can take the credit ( cool man! ) .

The search engine can be XSSed by first adding a normal string at the beginning and then add the script. Since the search engine has implemented XSS filtering so it can be bypassed by crafting a different vector.

Notice the search term that I have used here. On executing the script, an alert box will be displayed notifying the successful execution of script.
Here is the complete vulnerable url :

http://search.babylon.com/?q=helloworld%3Cscript%3Ealert%28%27hackingalert%27%29%3B%3C%2Fscript%3Ehelloworld&babsrc=home&s=web&as=0&t=0

11 comments:

sai charanDecember 3, 2011 at 11:48 AM
wow.......great bro...i was also hit by this adware which changed by browsers home page althogh i tired to change the homepage after restarting the browser the hell repeats....even it happens wen i reinstaled it. but now some how i managed it.
ReplyDelete
abhinav singhDecember 3, 2011 at 12:56 PM
@sai charan : yea..they are a headache..
ReplyDelete
AnonymousDecember 7, 2011 at 11:07 PM
good work...
ReplyDelete
AnonymousDecember 8, 2011 at 10:54 AM
nice work bro..
ReplyDelete
PrayanthemDecember 10, 2011 at 5:51 PM
When I find a XSS vulnerabillity, what can I do with it? I stumbled over one the other day whilst looking for SQL vulnerabillities :D

Do you have any tutorials on different things one can do?
ReplyDelete
abhinav singhDecember 10, 2011 at 8:41 PM
xss is a limited vulnerability...persistant xss hav some benifits .. non persistant xss require a social attack vector framing...will post a tutorial on it..
ReplyDelete
PrayanthemDecember 10, 2011 at 9:26 PM
Cool. Thank you. Im looking forward to it.
ReplyDelete
crackonJune 7, 2013 at 11:37 AM
hack yahoo mail password free, click here
ReplyDelete
crackonJune 7, 2013 at 11:38 AM
hack yahoo mail password free, click here
ReplyDelete
crackonJune 7, 2013 at 11:39 AM
.you must got a real facebook hacker hear

http://hackxfbx.blogspot.in/

OR

do u wand a real facebook hacker pls click hear

hack your friend fb account software free download
ReplyDelete
crackonJune 7, 2013 at 11:45 AM
.you must got a real facebook hacker hear

http://hackxfbx.blogspot.in/

OR

do u wand a real facebook hacker pls click hear

hack your friend fb account software free download
ReplyDelete

Subscribe to: Post Comments (Atom)