czwartek, 19 grudnia 2013

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

http://www.youtube.com/watch?v=ZhNn0uYXpL8

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:

http://hostname/x.htm?<img/src="XXX"/onerror="alert(1)">ab

causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.














4) Stored XSS - file downloads

http://www.youtube.com/watch?v=4xgcjisyzK8

5) Stored XSS - Clickpath analysis

http://www.youtube.com/watch?v=SqTSoCd86Sk

6) Reflected XSS - Form Data analysis

http://www.youtube.com/watch?v=LALvffnT-vQ

7) *BONUS* out of scope (so unrewarded) reflected XSS in yandex.st.

http://yandex.st/mail/neo2/7.35.2005/static/swf/web-socket.swf?onLoad=this.alert('XSS')

Effect + source code:


And that's all for today. :)

Brak komentarzy:

Prześlij komentarz