So with the blessing from iTpHo3NiX I present to you a fun little story of finding a XSS vulnerability on the site.
We were messing around on IRC and someone jokingly told a new member the challenge was to find XSS in evilzone :
<AndroUser> 12 tasks ?
<blacknieve> Oh if only it were that easy.
<davinci> you must deface a website in the name of puddi
<AndroUser> will try
<blacknieve> And impress dr. m0rph.
<parad0x> AndroUser, find Xss in EZ
<parad0x> don't kill me for this :p
<AndroUser> ill pass on that para
<parad0x> show on IRC a proof of your Xss finding in the forums
<blindfuzzy> lol
<parad0x> we'll make you admin
<parad0x> the moment you do that
I figured, heck why not give it a shot?
I messed around with the main forum for a while and found some interesting things on the forum settings with regards to the time format (You can really confuse yourself by putting some garbage values in there) but it seemed to sanitize the input properly. Then I remember the IRC stats page seems to be a little non standard and could be vulnerable. After messing around I realized this really only shows values and I can't find a parameter to inject.
Then I figured, hey, there's still the wiki...
I was checking the pages on the wiki and the associated parameters with these requests, I was watching the requests in the developer toolbar and noted an error being returned :
The XSS Auditor refused to execute a script in [url] because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
Bingo, fired up Firefox and resent the request and bam. XSS vulnerability discovered.
Luckily iTpHo3NiX was online (being the only admin I'd really been in contact with) so I disclosed the vulnerability and within minutes (Like not even 5) Ande had stepped in and patched it.
