EvilZone
Community => General discussion => : ShadowCloud November 25, 2015, 09:13:50 PM
-
So with the blessing from iTpHo3NiX I present to you a fun little story of finding a XSS vulnerability on the site.
We were messing around on IRC and someone jokingly told a new member the challenge was to find XSS in evilzone :
<AndroUser> 12 tasks ?
<blacknieve> Oh if only it were that easy.
<davinci> you must deface a website in the name of puddi
<AndroUser> will try
<blacknieve> And impress dr. m0rph.
<parad0x> AndroUser, find Xss in EZ
<parad0x> don't kill me for this :p
<AndroUser> ill pass on that para
<parad0x> show on IRC a proof of your Xss finding in the forums
<blindfuzzy> lol
<parad0x> we'll make you admin
<parad0x> the moment you do that
I figured, heck why not give it a shot?
I messed around with the main forum for a while and found some interesting things on the forum settings with regards to the time format (You can really confuse yourself by putting some garbage values in there) but it seemed to sanitize the input properly. Then I remember the IRC stats page seems to be a little non standard and could be vulnerable. After messing around I realized this really only shows values and I can't find a parameter to inject.
Then I figured, hey, there's still the wiki...
I was checking the pages on the wiki and the associated parameters with these requests, I was watching the requests in the developer toolbar and noted an error being returned :
The XSS Auditor refused to execute a script in [url] because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
Bingo, fired up Firefox and resent the request and bam. XSS vulnerability discovered.
Luckily iTpHo3NiX was online (being the only admin I'd really been in contact with) so I disclosed the vulnerability and within minutes (Like not even 5) Ande had stepped in and patched it.
-
This is a true story and goes to show that Shadow is awesome :-P
-
Nice find!
-
Fuck yeah broski. Don't spoil your dinner but have a cookie.
-
Dude, how will he rank up now? it was his task... btw that somebody is me, if you didn't forget. Nice work though.
-
Well, they lied about the admin part but meh. You deserve to rank up as you go.
-
GJ man... I like you... Have a cookie...
-
Dude, how will he rank up now? it was his task... btw that somebody is me, if you didn't forget. Nice work though.
Hahaha he is more than welcome to look for a different place that has a different XSS vulnerability.
And nope, I definitely didn't forget :)
-
@parad0x, it is well known that in order to get admin one must hack the internet with a dragon dildo.
@shadowcloud, nice find man. Here more cookie for you.
-
@parad0x, it is well known that in order to get admin one must hack the internet with a dragon dildo.
I don't think he knows it yet :P
-
Impressive