Sunday, 12 September 2010 Vulnerable to XSS

Today, I was trying to download some file from ziddu and since the author had already deleted the file, I was redirected to the error message page. And I thought of playing around with the message from GET params which was being displayed into the page.

I first added <i> and </i> in between the message and found that the HTML tags were not being filtered. Then I used the <script> tag and tried to do the alert but they were adding backslashes in the single and double quotes...
Then I used the String.fromCharCode() JS function and the alert appeared in the site..,65,77,65,82%29%29;%3C/script%3E suffers from the XSS and I've notified them.