Category: Javascript Injection

Stored DOM XSS, icloud.com, Javascript Injection, jQuery 1.7.2, User Agent Exploitation, May 2013

TL;DR In May 2013 XSS.Cx reported Stored XSS in www.icloud.com and all related applications due to the execution of the Javascript Protocol Handler. The Root Cause of the Issue was using Notes to inject the Code and then a Browser to View the Exploit. An Attacker could craft a malicious Note and then Share the […]

XSS, homes.yahoo.net, Cross Site Scripting, Javascript Injection, CWE-79, CAPEC-86, PoC, Resolved

PoC Summary The Mortgage Calculator in homes.yahoo.net was vulnerable to Reflected Cross Site Scripting (RXSS) in multiple parameters. Reported to Y! Security in October 2013 and more recently resolved, this PoC was outside the Scope of the Y! Bug Bounty Program.  Y! Bug Bounty Scope XSS in homes.yahoo.net The domains and properties below are in […]

Stored DOM XSS, www.ebay.com, Search Breadcrumb, Javascript Injection, Cookie Sink, Resolved

Stored DOM XSS in eBay Search Bread Crumb PoC Summary Stored XSS in www.ebay.com at Search Breadcrumb using multiple Parameters & Cookie Sinks via URL to evade XSS Neutering Routines.  Stored XSS in www.ebay.com at Search Breadcrumb Description The Search Breadcrumb in www.ebay.com is dynamically generated based on User Navigation. The Search Terms, Search Breadcrumb […]

linkedin.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: XSS in trk parmeter of www.linkedin.com as an authenticated user. Reported to security@linkedin.com on June 11, 2013 and resolved today, August 18, 2013. PoC URLhttp://www.linkedin.com/today/?trk=today_home_top_today_control</script><script>alert(1)</script>MATCH ON:fs.config({“failureRedirect”:”http://www.linkedin.com/nhome/”,”xhrHeaders”:{“X-FS-Origin-Request”:”/today/?trk=today_home_top_today_control</script><script>alert(1)</script>”,”X-FS-Page-Id”:”pulse-top-news”}});REQUIRED: Logged In User XSS in linkedin.com Commentary: LinkedIn has a Vulnerability  Rewards Program which results in sending a T-Shirt, which is ridiculous. Instead, its suggested that Linked In […]

redhat.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: Search Query XSS in www.redhat.com Reported a while back and fixed more recently. Does your Site have a Search Box? Test for XSS.Does your Site use Omniture Tracking Code? Test for XSS. Once upon a time, www.redhat.com had Search Form XSS in the q Param due to the “old and vulnerable Omniture Code” that allowed […]

yahoobingnetwork.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, 0D

UNRESOLVED: yahoobingnetwork.com 0D XSS Reported to MSRC on Feb. 6, 2013, No Reply Received July 17, 2013. Reflected Cross Site Scripting in the ‘q’ Parameter of www.yahoobingnetwork.com PoC URL http://yahoobingnetwork.com/it/search?mkt=it-IT&q=Search94933%22%3balert%28document.cookie%29//177&scope=&subscope=&url= 0D XSS in yahoobingnetwork.com

bing.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: XSS in www.bing.com at WeatherReported Q1/2013, resolved Q2/2013 The maptype and mapcat params reflected the JSI from the Server into the Browser. Since multiple Parameters could be combined, all modern User Agent Neutering Routines could be evaded. PoC URL was http://www.bing.com/weather/maps?q=weather&unit=3&FORM=DTPWEO&qpvt=3&mapview=detail&mapcat=1&maptype=’+prompt(9)+’. Resolved: XSS in www.bing.com in Maps