czwartek, 19 grudnia 2013

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:


causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.

4) Stored XSS - file downloads

5) Stored XSS - Clickpath analysis

6) Reflected XSS - Form Data analysis

7) *BONUS* out of scope (so unrewarded) reflected XSS in'XSS')

Effect + source code:

And that's all for today. :)

Brak komentarzy:

Prześlij komentarz