Reflected XSS on SearchSecurity.com
SearchSecurity.com- A prominent online Information Security website which is resource for IT Security professionals for latest security news,attacks,security topics,whitepapers etc is itself vulnerable to reflected XSS.
The XSS is possible in response page which gives error message if the login fails.
An error page, which is handling requests for a non existing pages, a classic 404 error page.
If we request some non-existent the application returns following response:
Requesting http://example.com/non-existent_page.htm will return
Sorry non_existent_page not available
Here the application is embedding the requested page's name in the response.So if a user requests http://example.com/<script>alert("XSS in reponse page");</script> the application will execute the script when returning a response to the user.
Similarly the Login page of the SearchSecurity.com returns error message in response page.
So replacing it with
....html?Error=<script>alert("XSS");</script> will execute in the browser.
Also the application provides login-specific errors.
If username doesn't match :Email provided does not exist
If Password doesn't match :Password provided is incorrect
So Guessing usernames and passwords should not be very difficult for a determined attacker.