Brijj.com bug

06 Aug

Posted by Gaurav as Tech

Found this on Brijj.com after a couple of minutes of browsing. I wasn’t looking for something like this. I imported and then deleted bunch of contacts. The parameter count, which had the number of people I deleted looked out of the place. In most secure applications it is handled on the server side instead of passing it as a GET parameter and then reading it. Even if it is passed as a GET param due to app limitations, server side processing is done to the GET text to make sure it is what it should be. In this case it should be checked if it is an INTEGER, if not then don’t display it.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Viewing 10 Comments

Kapil 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Interesting find. looks like some authentication issue with the Linkedin API

reply edit reblog flag record video comment

http://kapilchhabra.com

Gaurav 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I just found out that you were Technical Architect on Brijj.com and it uses Symfony. I haven't dug deep into Symfony, but I'd imagine their basic auth module/plugin will hash passwords before saving them.

I wonder if Brijj.com isn't fully using Symfony to its potential?

reply edit reblog flag record video comment

1 /people/gsharma/ /people/gsharma/following/ http://www.gsharma.com 500887245 pub/0/292/93 gsharma gsharma gsharma

Gaurav Sharma 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Tech Architect? You're referring to Kapil, rite? :)

reply edit reblog flag record video comment

http://twitter.com/mindbend

Gaurav 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Yes, it was for Kapil.

reply edit reblog flag record video comment

1 /people/gsharma/ /people/gsharma/following/ http://www.gsharma.com 500887245 pub/0/292/93 gsharma gsharma gsharma

Gaurav 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Kapil, this has nothing to do with LinkedIn API or even LinkedIn. I guess I chose a bad example for the iframe.

See the URL in the screenshot - http://www.flickr.com/photos/gsharma/2740079054...

reply edit reblog flag record video comment

1 /people/gsharma/ /people/gsharma/following/ http://www.gsharma.com 500887245 pub/0/292/93 gsharma gsharma gsharma

Gaurav Sharma 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

i wudn't be trusting this site with my email credentials ( http://brijj.com/aboutus/TakeATourPage2 ). A 1 year old indian website.. hmmm :-s

reply edit reblog flag record video comment

Gaurav 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I apparently did that.

They don't encrypt your password either. I did the 'forgot my password' thing and they emailed me my existing password in plain text. Yikes! Info Edge, a publicly traded company, needs to improve their coding quality.

reply edit reblog flag record video comment

1 /people/gsharma/ /people/gsharma/following/ http://www.gsharma.com 500887245 pub/0/292/93 gsharma gsharma gsharma

Gaurav Sharma 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

It all boils down to the Tech Lead / Programmers. They certainly don't seem to have any coding standards. 'Lack of experience' I assume. Moreover, quantity is rated higher than quality (in India). Pity.
I suggest you change your passwords NOW ;-)

reply edit reblog flag record video comment

http://twitter.com/mindbend

Gaurav 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

No, just a XSS vulnerability on Brijj. Click the image to see the URL.

reply edit reblog flag record video comment

1 /people/gsharma/ /people/gsharma/following/ http://www.gsharma.com 500887245 pub/0/292/93 gsharma gsharma gsharma

Gaurav Sharma 3 months ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

LinkedIn API?

reply edit reblog flag record video comment