Wednesday 30 April 2014

CERT-UK Search XSS

Whenever I see an input field I automatically think XSS. So looking at the new CERT-UK website (https://www.cert.gov.uk) I saw they had a search box and straight away thought "XSS?".

Entering a test payload in the search box:



It turns out the search output wasn't properly encoded:



Whenever you find an XSS the next step is obviously to make a pretty "XSS on " + document.domain screenshot right? However I found out they had some character filtering/escaping for quotes and plus signs. But that of course could be bypassed with a little javascript trickery. For example:

https://www.cert.gov.uk/?s="><iframe/onload=a=document.domain;b=String.fromCharCode(88,83,83,32,111,110,32);alert(b.concat(a));>

To get the classic:



I immediately reported the issue to CERT-UK and had a response+fix within a few hours.



I discovered this issue the day the site was released, 31st March. At the request of CERT-UK I delayed the release of this post to allow time to fix any other issues.


Final Thoughts

Another day, another XSS. Being from the UK it did feel a little embarrassing that such an obvious issue got missed but then again it just goes to show whether you are cyber ninja's from CERT-UK or mom+pop pie store from Nebraska, mistakes happen.

Today's lesson is don't trust third party developers when they say everything is secure. Test it yourself (preferably on a regular basis) and verify their claims.

Thanks again to CERT-UK for their fast response, you can follow them here @CERT_UK

Pwndizzle out.