Today I did some research on a rather less known XSS attack vector and I would like to present a small 'hack me' application - have fun (and read on for details)!
IntroductionI present to you a small vulnerable shoutbox application.
- Sqlite storage for user-submitted comments
- Your comments are only visible for your own IP (you could only hack yourself)
- Open source (feel free to download and audit the source or run locally)
- 100% SQL Injection-free
99%98% XSS free ;-) Only Firefox browsers are vulnerable (sorry)
Update: I've found a second vuln :) So, for now there are two:
- IE 6,7 (and its variant for IE8). This one is widely known, but it requires a separate website to exploit. It's about headers or lack of them - this is easy.
- Against XSS - every user input/database content is htmlspecialchars()ed.
- Against SQL injection - 100% protected as prepared statements are used
- Against RFI/path travelsal - included widget file names are only allowed to contain [a-z.] (so no ../../ , http://whatever, and other tricks would work)
The goal and final wordsJust a simple XSS - if you can make it alert() something, you win. No filtering is being done on the comments, so you may skip the obfuscation. Other than that - just look at the source - it's all there. When you break it, leave comments here with your IP or email me. In a few days I will discuss the exact vulnerabilit
Update: Both vulnerabilities are now revealed. Here's one for Firefox and one for IE.