One would assume that popular sources for zero day vulnerabilities+Poc’s such as Full-Disclosure, Bugtraq or Milw0rm are the primary sources for obtaining responsibly or irresponsibly released flaws. They’d be wrong. The black market for zero day vulnerabilities and the concept of over-the-counter (OTC) trade of zero day flaws, has been gradually developing itself through the last couple of years.

Let’s take a brief retrospective of the black market for zero day vulnerabilities, and review a recently launched underground shop for zero day vulnerabilities, currently offering 15 zero day vulnerabilities affecting popular web applications in order to execute successful XSS or SQL injection attacks, with prices ranging from $10 to $300.

Which products are they targeting? Currently offered zero days affect multiple versions of the following web applications :

- All versions of PHP Fusion
- WHMCompleteSolution
- PHP Nuke
- PunBB
- Tiki Wiki
- BMForum
- Invision Power Board
- YaBB
- PunBB
- e170 Plugin Calendar
- vBulletin v3.6 + ICQ Mod
- vBulletin v3.6 + GVideo Mod
- vBulletin v3.6 + Youtube Mod
- vBulletin v3.6 + LJ Mod
- Zen Cart

The most expensive is the $300 SQL injection flaw affecting all versions of PHP Fusion, which can be exploited on a large scale since there are over 2.5 million instances of it on the web, and even if the stats are conservative this hit list building approach through search engines reconnaissance has always been there, with the most recent proof of its usability were the massive SQL injections attacks.

Next to their current inventory, the service is also offering zero day vulnerabilities on demand charging the following prices :

“- Remotely upload shell - $120
- Remote file inclusion on request - $100
- Remote SQL injection - $70
- Passive and Active XSS for $10 and $40 respectively”.