what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LinkedIn Cross Site Scripting

LinkedIn Cross Site Scripting
Posted Nov 20, 2015
Authored by Rohit Dua

The Help Forum on LinkedIn suffered from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 2a9bd1ced4f661fb3399fe7cdf77a6afff11cf4a90862e613b8e31b764cbbe69

LinkedIn Cross Site Scripting

Change Mirror Download
LinkedIn social network affected by Persistent Cross-Site Scripting
vulnerability(XSS)
(patched in less than 3 hours)

=========================

I. VULNERABILITY
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
(stored XSS)
vulnerability.

II. BACKGROUND
-------------------------
LinkedIn is a social networking service and website operates the world's
largest professional network on the Internet with more than 187 million
members in over 200
countries and territories.
More Information: http://press.linkedin.com/about

III. DESCRIPTION
-------------------------
LinkedIn social network is affected by Persistent Cross-Site Scripting
vulnerability. The persistent (or stored) XSS vulnerability is a more
devastating variant
of a cross-site scripting flaw: it occurs when the data provided by the
attacker is saved by the
server, and then permanently displayed on "normal" pages returned to other
users in the
course of regular browsing, without proper HTML escaping. The affected
resource is
http://community.linkedin.com/questions/ask.html , the help center
discussion forum.

IV. PROOF OF CONCEPT
-------------------------
After signing in, go to LinkedIn Help Center(
https://help.linkedin.com/app/home/) --> Help Forum(tab)
--> Start a Discussion (http://community.linkedin.com/questions/ask.html).
In the 'Your Question' field you can enter random chars(min. 10), although
its a vulnerable field too.
The 'Enter tags' field can have any tags.
In the 'Give more Details' field you can put this:-

padding padding
padding
<<a></a>body onload = alert('XSS') >

The '<a></a>' tags are important. LinkedIn filters detect and remove
content with chars after opening html
tag(<),
eg: 'aa<body>d' will get modified to just aad.
The '<a></a>' go through the filter and get removed resulting in '<body
onload = alert(1) >', which executes nicely.

Finally, once the question gets posted it(along with the script execution)
can be immediately viewed in Help Forum-->Your Discussions or in the
questions public list, or the questions page of your tag.(could be easily
used for a xss worm!)

* POC Video link at end

V. BUSINESS IMPACT
------------------------
If a malicious user will find a way to exploit this vulnerability could
make other users perform actions that she wanted in the application because
the csrf token is useless, since based on the user's session.

The vulnerability could be used to spread a XSS worm using help forums.

XSS attacks can have a profound impact on an organizations reputation and
security, as well as the security of its customers.

VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affects the LinkedIn network.

VII. CREDITS
-------------------------
These vulnerabilities have been discovered by
Rohit Dua (https://in.linkedin.com/in/rohitdua).
(https://github.com/rohit-dua)

VIII. DISCLOSURE TIMELINE
-------------------------
Nov 16, 2015: Vulnerability acquired by Rohit Dua(
https://in.linkedin.com/in/rohitdua).
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security
Team.
Nov 16, 2015 11:28 PM: Initial vendor notification sent
Nov 17, 2015 02:12 AM: Vendor implemented a fix*
Nov 18, 2015: Disclosure

* LinkedIn sec. team fixed the bug within 3 hours of reporting.

IX. Links
------------------------
screenshot:- http://www.rohitdua.com/images/linkedin-xss-screenshot.png
injected-code:-
http://www.rohitdua.com/images/linkedin-xss-injected-code.png
POC Video:- https://www.youtube.com/watch?v=01I9ImHP26o



Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close