Times of India website vulnerable to Cross Site Scripting (XSS) attacks

India’s premier daily and popular website, Times of India is vulnerable to critical cross site scripting (XSS) attacks.  Times of India which operates a website called indiatimes.com is a top news website in India and elsewhere.  As per Wiki description,

“According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership.”

For the uninitiated a cross-site scripting (XSS)  vulnerability allows attackers to inject client-side script into the Time of India website.  It can be used by attackers to bypass access controls such as the same origin policy (SOP).


The XSS vulnerability in the Times of India website was discovered by Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.  He has found that the vulnerability occurs at Indiatimes’s URL links. Indiatimes only party filters the filenames in its website.  Jing says due to this almost all URLs under Indiatimes’s “Photogallery” and “Top-lists” topics are affected by this vulnerability.

Indiatimes uses part of the links under “photogallery” and “top-llists” topics to construct its website content without any checking of those links at all. Jing says this is one to most popular mistakes webmaster’s make now a days. Jing used Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7 and found that this vulnerability can be exploited without user login credentials.

Proof of Concept (PoC)

The PoC codes are given below :

https://www.indiatimes.com/photogallery/”><img src=x onerror=prompt(‘justqdjing’)>
https://www.indiatimes.com/top-lists/”><img src=x onerror=prompt(‘justqdjing’)>
https://www.indiatimes.com/photogallery/lifestyle/”><img src=x onerror=prompt(‘justqdjing’)>
https://www.indiatimes.com/top-lists/technology/”><img src=x onerror=prompt(‘justqdjing’)>


Jing has also made video of the PoC which is given below


Wang Jing says he has notified Times of India about these vulnerability but the security team of TOI has not patched the vulnerability so far.

Resource : CXSecurity.