Friday, July 17, 2009

Blogger/BlogSpot Cross-Site Scripting

So the other day I posted a unique blog on here relating to Cross-Site Scripting(XSS), and our account got suspended. I simply posted an image with the "onmouseover" attribute in the image tag to do some simple JavaScript alerts, notifying you that it could have been an XSS stealing your username/password, redirecting the page, logging your keystrokes, or even launching a buffer overflow against your browser. This is definitely not new news at all [1], however they have appeared to try to fix it (very poorly may I add) sometime in the last year. They attempt to filter certain things is a decent start since I documented over a year ago (06-27-08) [2] where you could type in a simple <script>alert('xss')</script> and it would work. Either they have failed at fixing it, or just don't care. Whether or not some of you reading our blog reported it as spam or perhaps Blogger/BlogSpot noticed my proof of concept and didn't approve, let's just hope their approach to information security is not like that of the United Nations [3], who apparently get hacked in 2007 via SQL injection and publicly blogged about, and continue to be vulnerable as of 07-01-09 [4], as gathered from Google cache data. Either way, many people wonder why there are so many breaches, and penentration testers like myself know that the vast majority go unreported. With so many vulnerabilities indexed in Google, and a slow/poor response to fix them or having them attempted to be fixed and done so incorrectly, no doubt, it is a matter of WHEN, not IF your information gets compromised.

UPDATE: Apparently I was trying to hard with my XSS proof of concept the other day and I stand to be corrected: A plain vanilla open and close script tag with an alert in it still works. From what I can tell, the input for the "Compose" view is HTML Encoded when published and the "Edit Html" view is published raw. Maybe after a few years of knowing about the problem and not doing anything about it, they should be nominated for a pwnie award[5]?

Read more!