RSS
 

NineMSN Flights XSS Vulnerability

10 Nov 2012

After browsing around on the NineMSN website for a little while (for about 10 minutes) I found a XSS vulnerability on a very common page. The NineMSN flights page is located here:
http://flights.ninemsn.com.au/

The page did not sanitise input from the depart and return input. The form was expecting a date but any string could be provided as input to execute an XSS attack.

Here is the vulnerability:

Ninemsn Flights From  Ninemsn Flights To

 

Vulnerable Code:

 

This vulnerability has been reported and I have been added to the Microsoft Hall of Fame for October 2012.

Why not have a look around Microsoft’s websites and see if you can find one too.

 
No Comments

Posted in XSS

 

Leave a Reply