Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Friendster XSS
Posted by: takatoo
Date: March 27, 2007 11:56PM

Friendster gives you 2 HTML-enable boxes in the edit profile form.
1)About Me
2)Describe Who You Want to Meet

I've tried playing around with these two boxes but no luck.

The funny thing is,you can write html in other boxes [hometown - fav tv show]and friendster doesn't even bother to filter it.

try:
http://www.friendster.com/40795807

Options: ReplyQuote
Re: Friendster XSS
Posted by: Th0R
Date: March 28, 2007 12:25AM

Just want to add a little additional information:

Except About Me and Desribe Who You Want to Meet, there is also Testimonials as the most dangerous part of Friendster, it's vuln anywhere.

Anyway .. Within that PoC, i love the photo of that Friendster .. "L" ;P

Thanks.
Th0R



Edited 1 time(s). Last edit at 03/28/2007 12:27AM by Th0R.

Options: ReplyQuote
Re: Friendster XSS
Posted by: takatoo
Date: March 28, 2007 05:33AM

i found another,but this one needs click.
http://www.friendster.com/invite.php?_submitted=1&newuser=&email=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&message=

______________________
koware au kara ugokenai
sabishii hane kasanete

Options: ReplyQuote
Re: Friendster XSS
Posted by: hackathology
Date: March 31, 2007 04:17AM

good luck friendster, never been a fan of friendster.

Hey friendster developer, please get your system patched.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Friendster XSS
Posted by: takatoo
Date: March 31, 2007 09:22PM

they already patched the XSS hole in [profile],
but in [add friend] still vulnerable

Options: ReplyQuote


Sorry, only registered users may post in this forum.