Saturday, June 25, 2016

Bug hunting story - scoop.it - XSS

I wrote quite a lot about scoop.it in my previous post, so won't elaborate on this again. Just dropping here Proof of Concept videos + bonus.
Those were pretty awful XSS. Most of them did get executed if you just visited my profile or had my news in your feed(Samy worm anyone?)


Bonus? = regression :(
If you go to http://www.scoop.it/t/img-src-a-jpg-onerror-alert-1/p/4000880451/2013/05/02/input-autofocus-onfocus-alert-42
and click on 'scoop it' as a logged user, you'll get kicked with my old stored XSS(also mentioned in previous article).


Some vulns were trivial like:
http://www.scoop.it/search?q=%27%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&type=post&page=1&limit=24 .
and some required some shenanigans. Eitherway, it's a shame to release a feature vulnerable to simplest of XSS payloads.

Oh boy, that was a lot of back and forths of:
- "we fixed it, thanks"
- "no you haven't, here is a bypass for your fix"
- "oh thanks, we fixed it again"
- "not yet, here is a bypass for your second fix"... 

Their PR Team sent me a hoodie - still using it, it's the most comfortable hoodie I ever had. This was a warm gift:



No comments:

Post a Comment