Wednesday 30 April 2014


Whenever I see an input field I automatically think XSS. So looking at the new CERT-UK website ( I saw they had a search box and straight away thought "XSS?".

Entering a test payload in the search box:

It turns out the search output wasn't properly encoded:

Whenever you find an XSS the next step is obviously to make a pretty "XSS on " + document.domain screenshot right? However I found out they had some character filtering/escaping for quotes and plus signs. But that of course could be bypassed with a little javascript trickery. For example:"><iframe/onload=a=document.domain;b=String.fromCharCode(88,83,83,32,111,110,32);alert(b.concat(a));>

To get the classic:

I immediately reported the issue to CERT-UK and had a response+fix within a few hours.

I discovered this issue the day the site was released, 31st March. At the request of CERT-UK I delayed the release of this post to allow time to fix any other issues.

Final Thoughts

Another day, another XSS. Being from the UK it did feel a little embarrassing that such an obvious issue got missed but then again it just goes to show whether you are cyber ninja's from CERT-UK or mom+pop pie store from Nebraska, mistakes happen.

Today's lesson is don't trust third party developers when they say everything is secure. Test it yourself (preferably on a regular basis) and verify their claims.

Thanks again to CERT-UK for their fast response, you can follow them here @CERT_UK

Pwndizzle out.