Anti-Phishing Research, Tombstones

Sunday, March 25, 2012

discussions.apple.com, Resolved, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Example, PoC, Report

RXSS in discussions.apple.com reported to Apple Product Security on July 20, 2011 and noted resolved via URL http://support.apple.com/kb/ht1318 on February 20, 2012.


Summary

Severity:  High
Confidence:  Certain
Host:  https://discussions.apple.com
Path:  /community/ipad/ipad_in_the_enterprise

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c261f"><ScRiPt>alert(1)</ScRiPt>109ba28d678 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Posted by Hoyt LLC at Sunday, March 25, 2012
Labels: , , , , , , , , ,
Reactions: 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)