Believe it or not, almost every online version of Bangladeshi newspapers are vulnerable to Cross Site Scripting (XSS) attack. Since my last post regarding Prothom-Alo I was believing may be many newspaper sites from Bangladesh are suffering the same problem. And yes, the guess was right because I just tested 11 more sites and surprisingly 10 of them are vulnerable to the same type of attack.The only site, Amar Desh seems to me ok in quick testing.

During the testing session, I noticed some of them have more serious problems like directory browsing enabled, malicious script can be uploaded, sql injection can be done etc. but in this post I will only concentrate on XSS attack. XSS can cause a variety of problems from cookie theft, session stealing to complete account hijack. It can even change the contents of the target site. Some types of XSS attack can disclose user files, install trojan horse programs, redirect user to some other places. Sometimes it allows to add or modify content like news, company information which can really be a problem for the companies.

Now let’s see the insecure sites. To get a proof of concept you will have to click the following links:

• bdnews24
• thdailystar
• kalerkantho
• ittefaq
• samakal
• nayadiganta
• bhorerkagoj
• janakantha
• sangram
• manobzamin

I just thought how people will consider it – finding vulnerabilities in popular local sites and disclose them here in my site. The practice of security vulnerabilities publicly is not common in our country but it’s a criticized good idea as because when it focuses in public attention they (owner of the site, software companies who developed that) focuses on improving the security.

There’s a debate, some people believe when a vulnerability is found, the discoverer should keep it secret so that bad people cannot know about it and thus cannot harm the innocents. How funny, do you think the hackers cannot discover vulnerabilities on their own? Yes, they can.

As a consumer, would you shop from a site where there is risk having your credit card stolen by other users? Assuming that, you know the process of stealing credit card information from that site is a very very complex work. Still will you go for shopping in that site using your credit card?  No, you won’t.

Now think about the software company who developed that shopping site. Somehow (privately) they got to know about that security threat, they investigated it and realized that it will take significant amount of time and money to fix. What do you think, they will fix it immediately? You need to understand the software business. In many instances, many software companies do not take the liability after delivering the software (I have doubt in the culture of suing for major software faults/damages is yet to be grown up in our country). Well, many companies will ignore this considering the amount of time needed to fix and deliver it to its clients for free as a fix.

On the other hand, if someone announces this hole publicly the owner of the site as well as the software company who developed it will try to fix it immediately for a good number of reasons, you know. So if we, the user community, want software vendors to patch vulnerabilities we will have to come forward. Imagine the number of security patches delivered by Microsoft after releasing their browser versions. Not all the security vulnerabilities are discovered by Microsoft guys, a good number of contributions by security researchers and hackers.

Disclosing vulnerabilities publicly works maximum times but that doesn’t mean that silent reporting is too worthless. Basically the software companies do not like this (disclosing publicly), they want it privately so that they can keep their goodwill intact.

By the way, the title of the post is regarding a XSS hole in prothom-alo.com (The most popular newspaper’s online version in Bangladesh). It’s in the search box. Here are the steps to reproduce:

1. Go to http://www.prothom-alo.com/
2. Note there is is a search box in the right side which reads কি জানতে চান? Write this text ' onMouseOver='alert("XSS") in the search box and hit the search (অনুসন্ধান) button.
3. Look at the search result page, nothing found (আপনার অনুসন্ধান বিষয়টি পাওয়া যায়নি). See at the middle of the page the search box is there which is empty.
4. Take the mouse over the search box and see an alert reads ‘XSS’