D-Mart India is Vulnerable to Xss and Xpath Injection

Note: This post is only for educational purpose, the author of this website will not be responsible for any misuse.

D-Mart is a chain of hypermarket and supermarkets in India. As of 2013, it has 64 stores spread across Maharashtra, Gujarat, Andhra Pradesh and Karnataka. Since D-Mart first opened its doors in the Mumbai region in 2000, it has grown into a trusted and well-established shopping destination in Maharashtra, Gujarat, Andhra Pradesh and Karnataka.  D-Mart is now looking forward to growing its stores across India.

D-Mart seeks to be a one-stop shopping destination for the entire family, meeting all their daily household needs. A wide selection of home utility products is offered, including foods, toiletries, beauty products, garments, kitchenware, bed and bath linen, home appliances and much more.

Since D-Mart first opened its doors in the Mumbai region in 2000, it has grown into a trusted and well-established shopping destination in Maharashtra, Gujarat, Andhra Pradesh and Karnataka.  D-Mart is now looking forward to growing its stores across India.

But recent days of my further testing on the D-mart India for vulnerabilities, I found two high vulnerabilities of  XSS(Cross Site Scripting) and XPath Injection vulnerability.

1: What is XPath Injection vulnerability?

XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input. An authenticated attacker may extract a complete XML document using XPath querying. This may compromise the integrity of your database and expose sensitive information.

References:

You can search more detail on XPath injection on this link.

http://palizine.plynt.com/issues/2005Jul/xpath-injection/

Effected item: http://www.dmartindia.com/advanced.asp

2: Cross Site Scripting(XSS)

It is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript (the others being VBScript, ActiveX, HTML, or Flash) as the prime culprits for this exploit. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.

See http://www.acunetix.com/websitesecurity/xss/ for more details.

See Cheat sheet of XSS https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Items that are affected:

• /complaints01.asp 
• /feedback01.asp 
• /landlord01.asp 
• /suppliers01.asp

I am taking http://www.dmartindia.com/feedback.html vulnerability as shown below:

Additional Vulnerability is that http://www.dmartindia.com/ is not having any backup.. So sad

 News.That is the reason why most of the Indian websites get hacked due to this poor vulnerabilities.