Tuesday, October 10, 2006

My interpretation - Orkut vector

Interpretation of this page with this injection string.


Orkut user entered scrap text as
www.orkut.com/"gt;lt;/a><img src="http://www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif" onload=alert(1)><a style="display:none" href="
Let's greet the independence of India. CHEERS!

Look at the string BEFORE "Let's greet the independence of India. CHEERS!"
Lets call it $USER_LINK

The string does not have any newline or any character of that kind. (Remember, actual injection string was URL encoded. I have given url decoded string here for convenience)

1. $USER_LINK is parsed by orkut server and it thinks that its a link.
2. Thus it puts it under <a href="$USER_LINK">whatever</a>
3. Rest of the text after newline is kept as is.
4. Effectively, user gets following,

<a href= "www.orkut.com/"></a><img src="http://www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif" onload=alert(1)><a style="display:none" href=" " >whatever</a>
Let's greet the independence of India. CHEERS!


Effectively you got into HTML and that was it!

Hope this makes sense. Sorry for not having the real HTML. They fixed it before I could save the html.


BTW, this was how I could find XSS WITHOUT really attacking orkut. I know I should not be attacking them without their permission and they wont give anybody this permission anyway [:d]

No comments: