Sunday, April 29, 2007

XSS on Yaari.com



Lots of friendship network sites are coming up these days following the success of orkut. Another one supposedly originating from the same stanford university is yaari.com targeted at mainly Indian users. The site looks and functionality seems fine but is full of XSS holes (Cross Site Scripting). Almost all the fields can be bugged.

Only thing that amazes me is that the site has used PHP. PHP has such a wonderful list of functions that can take care of the XSS problem. I wonder why no one is using those. I guess people are unaware of the XSS problem or is it that they just under estimate it ????

If anyone from the administrative department of yaari happens to be reading this, please post a comment on "Why have you ignored XSS ??"

Thanx Mr Nobody,
XSS is on DesiMartini.com too

5 comments:

pg said...

thnx for ur help...wanna talk? =) wud love to get more of ur help on the site. lemme know. u know how to reach me.

insistkool said...

Well, security is always a small problem or nothing for most university projects and open source stuff. Their strategy is not to fix/touch any sec issue unless it is very serious. Considering XSS is relatively new (well,not that new) attack vector, most junior developers don't know about it. Guess you get the point why tons applications suffer all these problems.

Prerna said...
This comment has been removed by the author.
Mr Nobody said...

xss found on desimartini.com also... sweet

Anonymous said...

Yaari spams your friends too!!