MyDeal.lk Reflected Cross Site Scripting Vulnerability.

Sri Lankan popular daily deal website MyDeal.LK is having a cross site scripting vulnerability. Because of the vulnerability an attacker can craft a URL that contains a malicious script to be executed on a unsuspecting victim who thinks he is visiting MyDeal.LK.

The vulnerability exists in the “deals.php?id=[id]” parameter. Where an attacker can inject a malicious script like this :

http://www.mydeal.lk/deals.php?id=%5Bid%5D”><script>EVIL SCRIPT HERE</script>

The attacker can replace the EVIL SCRIPT HERE with a malicious script that’ll look for an exploit in the victims computer that can be used to gain access to the computer, it can be used to give a drive by download to the victim or the attacker can steal information like session cookies of the admins that can be used to gain access to the website.

I’ve reported the vulnerability to MyDeal.LK. Hope they will fix the vulnerability soon. The best way to keep yourself protected is not to click on links that are from suspicious sources.

GitHub Post Here

Advertisements

One thought on “MyDeal.lk Reflected Cross Site Scripting Vulnerability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s