Bypass Anti XSS Filter : A Little Nice XSS Trick

Sometimes when I develop web applications, I’ll feel not good if I am asked to allow HTML in user inputs / outputs. What scares me? XSS I think.

This morning I received an interesting email from webappsec.org mailing list. Amit Klein founds out that he can trigger a XSS without a <script> tag NOR inside ONE. Here is the PoC :

<html>

***XSS code may be embedded here***

<script src=”/foo/bar.js”></script>

</html>

The XSS is something like this : Read the rest of this entry »

Posted in Concept, Exploit, XSS Corner | 4 Comments »
Echo Search String (Query) XSS

Ever saw something like this :

We noticed you arrived on Bla3.com searching for “GOD Sighting”
You might find additional content on those search terms at this site search link

The page echo your search strings. What if :

inurl:thevulnsite.com intext:<script>alert(/xss/);</script>

How to use? CSRF is the answer. Remember that XSS & CSRF are pal :P

Thanks,

Zoiz
http://zoiz.web.id

Posted in CSRF, XSS Corner | 4 Comments »
Friendster Logout Problem

It’s been a while since I last post here about Account Security part III. Now, this is about Friendster. Friendster again? Am I not bored? Of course I do, it’s my fun! Hacking is for fun, don’t you think so? Of course you don’t if you have already made hacking as a job. It’s no fun anymore, isn’t it? It’s about work. Or if someone still say it’s fun whether it’s a job or not, glad to hear that! :) More...

OK to the point. Monday when I have a trip to Tanah Lot in Bali, my friend ymm0t called me and send me his advisory. It’s about Friendster’s log out problem. Well, I found it earlier than him, but never thought of writing this.

Have you ever given a link by someone, that is, http://profile.friendster.com/logout.php? Or it’s after you view someone’s profile (http://profile.friendster.com/r3ck0rd for example). After you click it, you’ll see the logout page. But when you go to the home page of Friendster, you’ll see you haven’t logged out from Friendster. What’s going on?

This is my deduction, and ymm0t may not know this. You were logged out. But not from www.friendster.com. Only from profile.friendster.com. It’s a fatal fault for the user if they log out after they view someone’s profile by clicking the link above right. It reset the cookie of profile.friendster.com, but did not reset the cookie of www.friendster.com.

So what’s all the babbling about? Haven’t get it? Right here’s a scenario. If you were browsing on Friendster, and viewing someone’s profile, then you were forced by your friend to press the log out link at the top bottom, or you were told by your friend to go to profile.friendster.com/logout.php, because your friend wants to use it. Well after the “You have been logged out” text showed up, then you give your friend turn to use the computer. The fact is, if your friendster… I mean if your friend is naughty, as you haven’t been logged out from www.friendster.com, he can still access your account. And do something bad. Like putting a bad code to your profile maybe to steal your friends’ cookies, and your account may be banned for containing that code.

This short? Yeah this short. Short and easy to take over one’s account right? Lucky you if you access Friendster from your own PC or notebook at home. What if, in the internet café? Where the computers you use are shared computer.  So, here are the problem solver:

  • After you logout anywhere in Friendster, make sure you check out www.friendster.com too. Recheck always.
  • It’s recommended to log out from the home page. friendster.com.
  • If it’s not helping, just install a cookie editor plugin for your browser and just delete all the cookies from Friendster.
  • Remember, “just click log out and good bye” may not enough.

It’s not reported yet, but I’ll be reporting it to the Friendster Team.

By the way, after Th0R read this, he mentioned about CSRF. I don’t know what he meant but I’m thinking about sending my friends this link or just put a CSRF in my FS Profile like this:
<img src=”http://profiles.friendster.com/logout.php” alt=”logout” />
It’ll be kinda annoying huh :lol: (may I implement it here?)

All credits to: ymm0t for reminding me this. And Th0R for the CSRF idea. :)

GreetZ to:
- All SATE, HackingForte, and Ha.ckwith.us members. You’re all my support in growing my hacking activity.
- IndoForum members. You may dislike me or not because I’m still one of them, but this forum is the place where I grow up too.
- BayPas staffs and members, thanks for entrusting me to be the technician.
- Most of all, Jesus for keep giving me my breath.

Original Link: http://reckord.info/friendster/friendster-bug/81.friendster-logout-problem.html

Update 05/07/2008:

Disclaimer: The copyright above is for the text, not the bug. We never claim this as my own bug found. I don’t know if someone has reported this anywhere, because it’s an easy thing to found.

Thu.2008.6.19
r3ck0rd

© 2008 r3ck0rd and ymm0t. Some rights reserved.

Posted in Tips | 7 Comments »
WP-StatPress XSS

If you are using WP-StatPress plugin (1.2.9 or below) on your WP blog, you might need to take a look at this :

php Line 1146 : $referrer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ”);

This might pull a XSS out of your admin page if a malicious user spoof the a referer URL into something like this : http://bla3.com/’>”><script>alert(/XSS/)</script>

You might either update your Statpress or fixed it yourself by sanitizing the $referrer.

http://wordpress.org/extend/plugins/statpress/

Credits flies to : Rogério Vicente & Daniele Lippi

Posted in XSS Corner | 3 Comments »