Ok. Playtime’s over. Some people need to fix something.

I’ve been playing with an XSS(Cross-site scripting) vulnerability in a social-networking site I’m using. The site had already had XSS holes in the past that got patched. But then the addition of new features always opened up new problems.

One boring weekend, I got really curious with what I can do with XSS. Usually, whenever I see a site that is prone to script injection, I pop-up an alert box (a warning to fix the hole) and redirect them to somewhere else (usually Google). This time, I tried something neat. I’ve already read articles about stealing cookies via XSS but didn’t get to see how the stolen cookies were put into use. So I thought of doing an actual experiment if those things really work.

Long story short: it worked. I was able log into other user accounts without knowing their password. I asked “some”:http://subersibo.net “people”:http://redyushen.net for help to test this and gave them a demo. Really, I’m tempted to peek at other people’s account. But I don’t want guilt to keep me awake all night after a hard day’s job.

I already informed the folks at that site about the XSS hole. Maybe I’ll post how I did it after the vulnerability gets fixed. It was quite simple like the articles I’ve read before.


Comments: 1

Leave a reply »



what’s the latest news regarding your attempt to do XSS on that social networking site ?
can you post how you did it ?


Leave a Reply

(will not be published)

