NineMSN Flights XSS Vulnerability

10 Nov 2012

After browsing around on the NineMSN website for a little while (for about 10 minutes) I found a XSS vulnerability on a very common page. The NineMSN flights page is located here:

The page did not sanitise input from the depart and return input. The form was expecting a date but any string could be provided as input to execute an XSS attack.

Here is the vulnerability:

Ninemsn Flights From  Ninemsn Flights To

Vulnerable Code:

This vulnerability has been reported and I have been added to the Microsoft Hall of Fame for October 2012.

Why not have a look around Microsoft’s websites and see if you can find one too.

No Comments

Posted in XSS


Leave a Reply