So, Landmark, a famous book/music/movies store in India is on the net at LandmarkOnTheNet.com. I was there to check whether they sell 3D glasses, even though there are some cheap paper glasses on ebay.in, but I want better quality. As usual, the bad habit of checking for SQL Injections and XSS tingled in my brain.

Apparently, LandmarkOnTheNet has both the problems.

and for SQL Injection, I didn’t try much, just give a single quote as input in search, the server choked with an error in the SQL Query (it actually told what the error is and where the error is; what a away to configure the production server)

So, there are many things you can have fun with above two, these are the keywords - My Account, Session Stealing, Gift Cards, SQL Injection, PIN Numbers, Free Shipping.

If I were a landmark website user, I would ensure that my browser is Firefox with NoScript addon installed. If I were a landmark webmaster, I would buy a book on Web Security right now, ah nevermind, I would just search in Google for tips of fixing XSS and SQL Injection vulnerabilities and fix them ASAP. I might also feel very bad for using so many tables in my markup.

Something more free from Rediff ?
Hell Yeah.

Whats that ?
URL redirection service.

Ads ?
Come on, its rediff, there will be Ads.

What makes it different from other URL redirection services ?
Other URL redirection services are created by themselves. Here, even rediff doesn’t know that it got one too !!!

What ?
okay, in clear words, yet another stupid implementation by rediff.

Where ?
here - > http://www.rediff.com/login/inredirect.php?url=http://karteek.selfdabba.com

What does it do ?
Arghh !!! Click on it !! -> K World

Wow. Anything more in it ?
Uhmm, you want more and rediff will never say No. Yeah, it got XSS in it too.

Double Wow. Show me, show me !!
Well, Neither I can tell no. Click this.

Can I use it for anything more ?
Hell, yeah. How about printing your name there on that page ?

Triple Wow. Show me, show me.
Dude, not going to show you this. But, yeah. Will give you a hint. Document.write in Javascript. And you know how to inject javascript into that page

What ? Do I know ?
Fck. Thats why I should have kept a disclaimer on the top that this post aint for everyone. XSS is Cross Site Scripting, where you would just inject javascript in to another site.

Oh. okay. What do I do now ?
Uhmm, how about one fair deal. I will show you all the bugs I/others found in rediff and you stop using it ?

Yeah. I’m in.
Just goto Xssed.com and search for rediff. Lazy guys like me, click this.