Whenever I see an input field I automatically think XSS. So looking at the new CERT-UK website (https://www.cert.gov.uk) I saw they had a search box and straight away thought "XSS?".
Entering a test payload in the search box:
Entering a test payload in the search box:
It turns out the search output wasn't properly encoded:
Whenever you find an XSS the next step is obviously to make a pretty "XSS on " + document.domain screenshot right? However I found out they had some character filtering/escaping for quotes and plus signs. But that of course could be bypassed with a little javascript trickery. For example:
To get the classic:
https://www.cert.gov.uk/?s="><iframe/onload=a=document.domain;b=String.fromCharCode(88,83,83,32,111,110,32);alert(b.concat(a));>
To get the classic:
I immediately reported the issue to CERT-UK and had a response+fix within a few hours.
I discovered this issue the day the site was released, 31st March. At the request of CERT-UK I delayed the release of this post to allow time to fix any other issues.
Another day, another XSS. Being from the UK it did feel a little embarrassing that such an obvious issue got missed but then again it just goes to show whether you are cyber ninja's from CERT-UK or mom+pop pie store from Nebraska, mistakes happen.
Today's lesson is don't trust third party developers when they say everything is secure. Test it yourself (preferably on a regular basis) and verify their claims.
Thanks again to CERT-UK for their fast response, you can follow them here @CERT_UK
Pwndizzle out.
Today's lesson is don't trust third party developers when they say everything is secure. Test it yourself (preferably on a regular basis) and verify their claims.
Thanks again to CERT-UK for their fast response, you can follow them here @CERT_UK
Pwndizzle out.