[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] LinkedIn - Persistent Cross-Site Scripting vulnerability(XSS)
From: Rohit Dua <8ohit.dua () gmail ! com>
Date: 2015-11-18 15:54:52
Message-ID: CAKh+L71Cpc2goaURfm8_q90EfeT9m=NBOEzkGzH6rGXrggEdLA () mail ! gmail ! com
[Download RAW message or body]
LinkedIn social network affected by Persistent Cross-Site Scripting
vulnerability(XSS)
(patched in less than 3 hours)
=========================
I. VULNERABILITY
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
(stored XSS)
vulnerability.
II. BACKGROUND
-------------------------
LinkedIn is a social networking service and website operates the world's
largest professional network on the Internet with more than 187 million
members in over 200
countries and territories.
More Information: http://press.linkedin.com/about
III. DESCRIPTION
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
vulnerability. The persistent (or stored) XSS vulnerability is a more
devastating variant
of a cross-site scripting flaw: it occurs when the data provided by the
attacker is saved by the
server, and then permanently displayed on "normal" pages returned to other
users in the
course of regular browsing, without proper HTML escaping. The affected
resource is
http://community.linkedin.com/questions/ask.html , the help center
discussion forum.
IV. PROOF OF CONCEPT
-------------------------
After signing in, go to LinkedIn Help Center(
https://help.linkedin.com/app/home/) --> Help Forum(tab)
--> Start a Discussion (http://community.linkedin.com/questions/ask.html).
In the 'Your Question' field you can enter random chars(min. 10), although
its a vulnerable field too.
The 'Enter tags' field can have any tags.
In the 'Give more Details' field you can put this:-
padding padding
padding
<<a></a>body onload = alert('XSS') >
The '<a></a>' tags are important. LinkedIn filters detect and remove
content with chars after opening html
tag(<),
eg: 'aa<body>d' will get modified to just aad.
The '<a></a>' go through the filter and get removed resulting in '<body
onload = alert(1) >', which executes nicely.
Finally, once the question gets posted it(along with the script execution)
can be immediately viewed in Help Forum-->Your Discussions or in the
questions public list, or the questions page of your tag.(could be easily
used for a xss worm!)
* POC Video link at end
V. BUSINESS IMPACT
------------------------
If a malicious user will find a way to exploit this vulnerability could
make other users perform actions that she wanted in the application because
the csrf token is useless, since based on the user's session.
The vulnerability could be used to spread a XSS worm using help forums.
XSS attacks can have a profound impact on an organizations reputation and
security, as well as the security of its customers.
VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the LinkedIn network.
VII. CREDITS
-------------------------
These vulnerabilities have been discovered by
Rohit Dua (https://in.linkedin.com/in/rohitdua).
(https://github.com/rohit-dua)
VIII. DISCLOSURE TIMELINE
-------------------------
Nov 16, 2015: Vulnerability acquired by Rohit Dua(
https://in.linkedin.com/in/rohitdua).
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security
Team.
Nov 16, 2015 11:28 PM: Initial vendor notification sent
Nov 17, 2015 02:12 AM: Vendor implemented a fix*
Nov 18, 2015: Disclosure
* LinkedIn sec. team fixed the bug within 3 hours of reporting.
IX. Links
------------------------
screenshot:- http://www.rohitdua.com/images/linkedin-xss-screenshot.png
injected-code:-
http://www.rohitdua.com/images/linkedin-xss-injected-code.png
POC Video:- https://www.youtube.com/watch?v=01I9ImHP26o
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic