In the midst of crazy work, I breezed through certain websites and randomly injected some simple attack vectors over this month in China. I found several large sites that are vulnerable to XSS and SQL Injection.
Large sites including DangDang, Sina China, Sogou, Baidu, some of them fixed the problems after emailing them or maybe after reading the logs, too. However, the SQL Injection in DangDang remains unfixed and that is not good. I will not disclose here though ( you can certainly find it easily. It is just simple and buggy. )
To give you an idea of how big the sites above are relative to China, here are some analogies :
DangDang – Amazon
Sina China – Yahoo! News
Sogou – Ask.com
Baidu – Google ( bonus, Baidu beats Google in China )
I guess I will have to find more time to play with these sites to look for more holes. But for now, I have tons of work piling up. Ouch. I have vacation today, in office.
Vulnerable to XSS and SQL Injection for those Tier 1 websites!!!!!!……. They should take a course in Web Security 101 …
>>kklo
Yes, sadly, it is not difficult at all to locate them.
Afterall, secure web application development isn’t just a course, but an enforcement of practices throughout the development team. There are plentiful courses and books that talk about it, but enforcing them is another story. I might find more when I have time…
What organizations are available for yout to report findings to? In the USA we have CERT and some others for product findings. Website findings might be tricky because there’s lots of legal lines that get crossed.
>>Chris
You brought up a good point. I should find the local ones. However I just discovered one sooooooooooooooooooooooooooooooooo alike of milworm, you know… *sigh* it just hurts to see so many duplicates ( triplicates! in fact ) around.
>>Chris
Yea. What are some precautions do you think we should take to disclose responsibly our findings?
>>Chris
A simple research turns out some sites :
http://www.nohack.cn/bugs/
http://www.sitedir.com.cn/index.htm ( This one is really like milworm )
http://www.xfocus.net/vuls/ ( This is very well known, Kuza55 went to gave a presentation there this year in Beijing, just the 22nd Nov last month .)