Meter HTML5 XSS filter bypass

I was playing around with some new HTML5 features and noticed a funny one. Meter gives you a cool progress bar on-the-fly – https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meter Immediately I thought about using it to bypass some WRONG blacklist tags XSS filter and add a event to it: [code]<meter onmouseover="alert(1)"[/code] You can check it on https://jsfiddle.net/btksfbbx/ Nowadays this doesn’t… Continue reading Meter HTML5 XSS filter bypass

Multiple vulns on mTouch Quiz WordPress plugin

Plugin link: https://wordpress.org/plugins/mtouch-quiz/ Active Installs: 5,000+ Version tested: 3.1.2 CVE Reference: Waiting mTouch Quiz lets you add quizzes to your site. This plugin was designed with learning, touch friendliness and versatility in mind. I found multiple vulnerabilities on WordPress plugin – mTouch Quiz <= 3.1.2. #1 Reflected XSS on Quiz Manage “quiz” parameter wasn’t properly… Continue reading Multiple vulns on mTouch Quiz WordPress plugin

XSS on a input hidden field

…where you have the input sanitized for ‘<> chars. I come across a web application on a bounty program where the returnurl was placed in the following HTML: [code language=”html”]<input type="hidden" name="returnurl" value="[USER INJECT]" />[/code] The security filter removed <>’ chars but kept the double quote active and reflected. What’s the first thing that comes… Continue reading XSS on a input hidden field

Tiny XSS exploitation

A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area. That field allowed XSS exploitation: [code lang=”html”]d<img src=x onerror=prompt(1)>[/code] Simple right? But sometimes you need to provide a better vector where the affected company can see more than a prompt with a number.… Continue reading Tiny XSS exploitation

Get a bounty on a WordPress blog

I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin. First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here  and here).… Continue reading Get a bounty on a WordPress blog

Events Made Easy WordPress plugin CSRF + Persistent XSS

Plugin link: https://wordpress.org/plugins/events-made-easy/ Active Installs: 10,000+ Version tested: 1.5.49 CVE Reference: Waiting Events Made Easy is a full-featured event management solution for WordPress. Events Made Easy supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy you can plan and publish your… Continue reading Events Made Easy WordPress plugin CSRF + Persistent XSS

Komento Joomla! component Persistent XSS

CVE Reference: CVE-2015-7324 Komento is a Joomla! comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop. @http://stackideas.com/komento I found out that was possible to launch a Persistent XSS attack when adding a new comment using the WYSIWYG website and image buttons. This issue was critical in both environments – frontend… Continue reading Komento Joomla! component Persistent XSS

Results for the XSS challenge

For the first challenge it was very interesting. It was easy challenge but it’s a start. New challenges will be up soon. The winners are [they were the first ones to give one solution]: 1º Luciano Corsalini – $50 Amazon gift card [code]#<svg/onload=alert(`xss`)>[/code] 2º Kenan – $25 Amazon gift card [code]#<svg/onload=alert(/xss/)>[/code] For the bonus prize… Continue reading Results for the XSS challenge