Friday, January 12, 2007

XSS in Blogspot

Yesterday RSnake posted about a ``XSS'' hole in Blogger. I don't really think it's XSS if you can only inject on your own blog, but whatever. It didn't sound too interesting that it was safari-only either, so I decided to extend the exploit to MSIE and Firefox, so here it is:

http://nightofthexss.blogspot.com/

For the exploit I use that Firefox actually parses comments correctly and that MSIE has support for conditional comments.

Kudos to Jose Avila for the original exploit.

5 comments:

Jose Avila III said...

You stated "I don't really think it's XSS if you can only inject on your own blog"; however, look at this senario... User A is logged into blogspot, views the malicious blog post, the javascript payload makes an entry into their page to inject the exploit there. It could potentially also delete the other person's posts, Steal their session with blogspot, etc. This could potentially make a blogspot worm.

Eamon Nerbonne said...

All actions on blogger.com occur via the blogger.com domain. I don't see how the user himself could change his own blog when viewing the xyz.blogspot.com domain, let alone any other logged in user. Maybe I'm missing something, but this seems mostly unexploitable, without some other, additional security leak.

Martijn said...

Hee mark, tijd voor een nieuw security artikel! Je lezers wachten met smart...

Mark IJbema said...

U vraagt, wij draaien ;)

123 123 said...

Interesting blog as for me. It would be great to read something more about this matter.
BTW check the design I've made myself Female escorts