Brijj.com bug

Posted on by

Bug on Brijj.com

Found this on Brijj.com after a couple of minutes of browsing. I wasn’t looking for something like this. I imported and then deleted bunch of contacts. The parameter count, which had the number of people I deleted looked out of the place. In most secure applications it is handled on the server side instead of passing it as a GET parameter and then reading it. Even if it is passed as a GET param due to app limitations, server side processing is done to the GET text to make sure it is what it should be. In this case it should be checked if it is an INTEGER, if not then don’t display it.

Like this post? Follow me on Twitter at @gsharma or leave a comment.
  • Gaurav Sharma

    LinkedIn API?

  • http://www.gsharma.com Gaurav

    No, just a XSS vulnerability on Brijj. Click the image to see the URL.

  • Gaurav Sharma

    i wudn't be trusting this site with my email credentials ( http://brijj.com/aboutus/TakeATourPage2 ). A 1 year old indian website.. hmmm :-s

  • http://www.gsharma.com Gaurav

    I apparently did that.

    They don't encrypt your password either. I did the 'forgot my password' thing and they emailed me my existing password in plain text. Yikes! Info Edge, a publicly traded company, needs to improve their coding quality.

  • http://twitter.com/mindbend Gaurav Sharma

    It all boils down to the Tech Lead / Programmers. They certainly don't seem to have any coding standards. 'Lack of experience' I assume. Moreover, quantity is rated higher than quality (in India). Pity.
    I suggest you change your passwords NOW ;-)

  • http://kapilchhabra.com Kapil

    Interesting find. looks like some authentication issue with the Linkedin API

  • http://www.gsharma.com Gaurav

    Kapil, this has nothing to do with LinkedIn API or even LinkedIn. I guess I chose a bad example for the iframe.

    See the URL in the screenshot – http://www.flickr.com/photos/gsharma/2740079054…

  • http://www.gsharma.com Gaurav

    I just found out that you were Technical Architect on Brijj.com and it uses Symfony. I haven't dug deep into Symfony, but I'd imagine their basic auth module/plugin will hash passwords before saving them.

    I wonder if Brijj.com isn't fully using Symfony to its potential?

  • http://twitter.com/mindbend Gaurav Sharma

    Tech Architect? You're referring to Kapil, rite? :)

  • http://www.gsharma.com Gaurav

    Yes, it was for Kapil.

  • stevenmartinez

    I am in love with your quality articles! I wish I had time and patience to make my blog like yours. Thanks for the informative information you share. Bookmarked your blog.

  • http://www.coverbookdesign.com/ book cover designer

    I'll be your loyal reader when you update your new post. I believe your blog will be famous some day. This is because I think you'll post a good information that suitable for a lot of people

  • Jim

    Gaurav,

    I liked your blog but after reading for 20 mins… I am frustrated…. Your every other blog entry has mention that we dont do this in india… we dont do that…. Indians are like this… Quantity is more important in India than quality…

    Dont generalize plz… and if you have a problem, being an Indian… Go live in Iraq… you looser….

    People like YOU give a bad name to India by complaining… Instead of doing that… why the hell you dont do something about it?? :( ugghh…

  • Anonymous

    Coach Outlet Online and Coach Outlet Online Store offer you chance to purchase your ideal articles. Here login Coach Outlet Online or Coach Outlet to purchase your favourites, such as Coach Cristin Bags, Coach Crossbody bags.They are renowned for exquisite workmanship, skillful knitting and elegant design and sell very well both at home and abroad. In order to convenient our customers, we also offer you other platforms. They are Coach Outlet Online,Coach Outlet Online Store and Coach Factory Outlet. We not only provide you the superior goods but offer you the best after-sales serives. So, please login Coach Outlet Online.

  • Anonymous

    The beautiful winter is comming now,have you fashion in this amazing season,maybe answer is yes,but you must to know who is the fashion leader of this winter,that is Belstaff Uk.In Uk everyone knows Belstaff Jackets is the most popular in winter,you should know the reason,Belstaff Jackets is established in 1924,it’s a long enough time to make clothes,so the quality,the design,for Belstaff Jackets Uk is expert level,especially Belstaff Leather Jacekt,it all are made up with top layer cow leather.Maybe in UK,every motobike rider want one.That’s incredible popular right.And now,you can find a so convenient way to get a perfect Belstaff Jackets,that is our onlien shop,we are official site of Belstaff Jackets Uk,why not choose one for your beartiful family and yourself now.so Click here to join us:Bestaff Uk.com.Get your Belstaff Jacket with biggest discount in this world.

  • Anonymous

    Fulfilling our needs for fast fashion means increased production and competition in clothing manufactured in countries with fashion trend.In order to meet the market’s demands,Coach Outlet Store Online pay more attention on the fashion style with the latest material.In terms of luxury consumption, consumers in Western countries prefer traditional brands while consumers are wilder about the fashionable fad.In Coach Outlet there are many famous bags of the Coach Outlet Online.In USA,at least,each of the person have a Coach bags on the average.So,in the Amercian market,Coach bags get the people favourate.On that basic,manufacture take the chance to make the price very on the high side.Today,Coach Handbags Outlet USA do atmost to drop the price,with the same quality.In order to thanks for the public,Coach give a biggest discount to Forengn for the fastival.If U bag bags over $99,Coach Outlet Store Online can send the goods to Ur home without the fright.At the same time,the goods of coach bags can have a discount at 82% to meet the market’s needs.So don’t worry,Coach Outlet Online Store can give U the chance to owned your remembered bags with very lowest price.At the same time,Coach Outlet Store Online newly iaunched the latest fad bags which canused a ensation in the fashion world for U to make up in the winter.Is your heat moving very fast,quick, first come first get.More and More chance are waiting for U.

  • Anonymous

      Louis Vuitton Outlet is famous for the unique articules ,login Louis Vuitton Online Store  and Louis Vuitton Handbag On Sale to buy your articles.Louis Vuitton Handbags have become the best seller in international market.such as Monogram Multicolore,Monogram Canvas Handbags.We also offer you other platforms.Owing to the various styles and models, up-to-date styling,elegant appearance,full range of colors and designs,quality and quantity assured,The bags in Louis Vuitton Outletand  Louis Vuitton Online Store sell very well both at home and abroad. Now, Login Louis Vuitton Handbag On Sale to choose your favorites. What’s more,the latest commodities are renowned all over the world for exquisite workmanship, skillful knitting and elegant design,famous for selected materials, novel designs, delightful colors and exquisite workmanship. For more relevant information, please login Louis Vuitton Outlet!