Read on Twitter
(THREAD)
[1/10]
Okay, so here's a full story about a simple, yet critical Cross-Site Scripting vulnerability i discovered. At the same time it's my first vulnerability discovered, therefore i guess it's a milestone, for me at least. #ITSecurity #Vulnerability
[1/10]
Okay, so here's a full story about a simple, yet critical Cross-Site Scripting vulnerability i discovered. At the same time it's my first vulnerability discovered, therefore i guess it's a milestone, for me at least. #ITSecurity #Vulnerability
[2/10]
One day a friend of mine, who isn't very good at handling computers asked me for help with something. He (the friend) wanted to add some music to his some sort of custom series list subpage. It had an option like that, for real.
One day a friend of mine, who isn't very good at handling computers asked me for help with something. He (the friend) wanted to add some music to his some sort of custom series list subpage. It had an option like that, for real.
[3/10]
The website itself was sorta simple. You had some tabs like "watched", "finished" etc. In it's settings user was able to customize almost everything cosmetic in the page. You could even upload your own CSS. It also had the form to set some player music from a choosen URL.
The website itself was sorta simple. You had some tabs like "watched", "finished" etc. In it's settings user was able to customize almost everything cosmetic in the page. You could even upload your own CSS. It also had the form to set some player music from a choosen URL.
[4/10]
The friend's problem was that the URL he entered didn't even work, it was a YouTube URL. Later on i realized that it could be that the address must be pointing directly to an audio file (MP3 in that case). It worked.
The friend's problem was that the URL he entered didn't even work, it was a YouTube URL. Later on i realized that it could be that the address must be pointing directly to an audio file (MP3 in that case). It worked.
[5/10]
Afterwards, i wondered why it worked like that and checked the site's source code. I discovered that the URL entered into the form in settings was placed inside a HTML <audio> tag. Now it was logical why the YouTube URL didn't work.
Afterwards, i wondered why it worked like that and checked the site's source code. I discovered that the URL entered into the form in settings was placed inside a HTML <audio> tag. Now it was logical why the YouTube URL didn't work.
[6/10]
Then i realized that there could be an XSS vulnerability in there and a simple idea crossed my mind. I quickly set up a temporary account, logged in and tried to close the <audio> thing. I got an error because the inputted wasn't an URL, if i remember well it said that...
Then i realized that there could be an XSS vulnerability in there and a simple idea crossed my mind. I quickly set up a temporary account, logged in and tried to close the <audio> thing. I got an error because the inputted wasn't an URL, if i remember well it said that...
[7/10]
The URL must begin with "https://", i immediately knew what to do. I simply put an URL address, and after it i placed closing audio tags and some <script>alert(0); things. I made it, page displayed the famous "0 alert". A persistent XSS at its finest.
The URL must begin with "https://", i immediately knew what to do. I simply put an URL address, and after it i placed closing audio tags and some <script>alert(0); things. I made it, page displayed the famous "0 alert". A persistent XSS at its finest.
[8/10]
That's it, the vulnerability was instantly reported to the website administrator and literally was fixed in about 10 minutes, i also got some points which i could exchange for discounts in some kind of a merchandise webshop. I love guys like these!
That's it, the vulnerability was instantly reported to the website administrator and literally was fixed in about 10 minutes, i also got some points which i could exchange for discounts in some kind of a merchandise webshop. I love guys like these!
[9/10]
The exploit itself.
Note: had to add another audio element cause just after the URL in <audio> came the "type" parameter, i wanted to be sure everything works.
URL: https://pastebin.com/21pyMMAG
The exploit itself.
Note: had to add another audio element cause just after the URL in <audio> came the "type" parameter, i wanted to be sure everything works.
URL: https://pastebin.com/21pyMMAG
[10/10?]
PS: Also noticed that you could just point to any URL in the web. I reported it along the main vulnerability, but he said he couldn't really do anything about it, so i think i'll look into it. If i manage to find anything i'll continue this thread. For now CU guys, 3 9~
PS: Also noticed that you could just point to any URL in the web. I reported it along the main vulnerability, but he said he couldn't really do anything about it, so i think i'll look into it. If i manage to find anything i'll continue this thread. For now CU guys, 3 9~
