Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in Digg
Posted by: busin3ss
Date: March 31, 2007 09:59PM

Original source:

http://mybeni.rootzilla.de/mybeNi/2007/digg_delicious_netscape_technorati_hacked/

He didn't shared the code, but I was already using that XSS so here it is:

http://digg.com/offbeat_news/Digg_Delicious_Netscape_And_Technorati_Hacked?creplyto=5943349'%22%3E<h1>XSS</h1>

It was working like a charm for a couple of weeks, but since he reported it to Digg it seems that it was fixed.

Options: ReplyQuote
Re: XSS in Digg
Posted by: Ghozt
Date: March 31, 2007 10:42PM

There's one in their new invitefrom feature too.

Options: ReplyQuote
Re: XSS in Digg
Posted by: busin3ss
Date: March 31, 2007 10:57PM

Ghozt Wrote:
-------------------------------------------------------
> There's one in their new invitefrom feature too.


XSS?
I know there is a auto-friend adder but that's not XSS, just lame security :P

Options: ReplyQuote
Re: XSS in Digg
Posted by: psifertex
Date: April 01, 2007 01:01AM

@busin3ss: that type of attack goes by the name of CSRF (cross-site request forgery)

Options: ReplyQuote
Re: XSS in Digg
Posted by: busin3ss
Date: April 01, 2007 02:00AM

psifertex Wrote:
-------------------------------------------------------
> @busin3ss: that type of attack goes by the name of
> CSRF (cross-site request forgery)


I know :P

But still, I haven't found an XSS in the friend adder, so it would be great if Ghozt could elaborate more about it

Options: ReplyQuote
Re: XSS in Digg
Posted by: Ghozt
Date: April 01, 2007 02:57AM

I think it's fixed, but here's how I found it:

Went to xttp://digg.com/invitefrom/yourusername while logged in, it told me that I had successfully added "yourusername" as a friend, and gave me a URL that I could actually edit the parameter with (xttp://digg.com/Ghozt/invitefrom/invitefrom.php?blah=blah&blah=yourusername or something along those lines), and when I tried "><script>alert(1)</script> in the last parameter it fired. It only worked if you had the currently logged in username in the URL though, which is why I didn't post it in FD.

Options: ReplyQuote
Re: XSS in Digg
Posted by: beNi
Date: April 01, 2007 03:09PM

I didnt report it to digg, they just closed it without any reply or someone contacting me.
Some guys reported it to them :(

Next time it will spread properly - at least I'm hoping it

Options: ReplyQuote
Re: XSS in Digg
Posted by: busin3ss
Date: April 01, 2007 05:04PM

Next time let me know before reporting it so we can make some $$$ :)

Options: ReplyQuote
Re: XSS in Digg
Date: April 02, 2007 03:08AM

In what regards do you capitalize monetarily on XSS? I'm not interested in doing it as I have always turned down money offered up after finding vulnerabilities, but as I said in your introduction thread I enjoy these concepts and theories.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: XSS in Digg
Posted by: beNi
Date: April 02, 2007 11:28AM

I nearly sold the Digg Voting Script, but then I chose to use it for myself ;-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.