Cross site scripting (xss) is the one of the more common web application vulnerabilities. It allows an attacker to inject malicious javascript into a web application and steal users sessions or cookies. Various other malicious things can also be done. The Xss vunerability in this application leads to the stealing of an administrators session. Xss attacks can be found in up to 80% of web applications or sites.
Sockso is a free and open source music host server (). It is very easy to install and can be setup in minutes. A few of my friends have been using this software. When registering I found a large persistant Cross site scripting vulnerability. I immediately informed the developers and also wrote a proof of concept of how it could be exploited, that I would like to demonstrate.
I discovered that on the registration page, The developer never sanitizes the “username” input field, nor is it sanitized or stripped on output into the admin panel. I discovered this originally by using
as my registrating name. I was then automatically logged in and the “lolhixss” popup followed. I also recieved a message from the admin (my friend) who told me it also popped up in the admin panel.In order to steal the admin session, all that was required was for me to write a small php file, I called it xss.php. All it does is record the parameter “c” passed in the url to a file.
$cookie = $_GET["c"];
$stolencookies = fopen("cookiefile.txt", "a");
fwrite($stolencookies, $cookie ."n");
fclose($stolencookies);
?>
In order to steal the cookies, I used the script...
as my username. When this was executed in the admin panel. It appended the admins cookie to the end of the url, which was then stored into my cookiefile.txt file. Using Tamper Data (a firefox plugin similar to burp) I modified my http headers and other paramaters to contain the admin cookie that was retrieved. I then refreshed the page and was logged in as the admin.
In order to prevent attacks like this, the developer needs to escape and sanitize the users input. Also having a limit on the size of a username would only be helpful. It is just as important to sanitize the output as well.
More information can be found here and here https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Hax brah!
EDIT: I submitted this finding to exploit-db.com Here Hopefully the first of many!