Wednesday 30 April 2014

CERT-UK Search XSS

Whenever I see an input field I automatically think XSS. So looking at the new CERT-UK website (https://www.cert.gov.uk) I saw they had a search box and straight away thought "XSS?".

Entering a test payload in the search box:



It turns out the search output wasn't properly encoded:



Whenever you find an XSS the next step is obviously to make a pretty "XSS on " + document.domain screenshot right? However I found out they had some character filtering/escaping for quotes and plus signs. But that of course could be bypassed with a little javascript trickery. For example:

https://www.cert.gov.uk/?s="><iframe/onload=a=document.domain;b=String.fromCharCode(88,83,83,32,111,110,32);alert(b.concat(a));>

To get the classic:



I immediately reported the issue to CERT-UK and had a response+fix within a few hours.



I discovered this issue the day the site was released, 31st March. At the request of CERT-UK I delayed the release of this post to allow time to fix any other issues.


Final Thoughts

Another day, another XSS. Being from the UK it did feel a little embarrassing that such an obvious issue got missed but then again it just goes to show whether you are cyber ninja's from CERT-UK or mom+pop pie store from Nebraska, mistakes happen.

Today's lesson is don't trust third party developers when they say everything is secure. Test it yourself (preferably on a regular basis) and verify their claims.

Thanks again to CERT-UK for their fast response, you can follow them here @CERT_UK

Pwndizzle out.

8 comments:

  1. Do you want to learn more about narrative essay writing? Here you can get some tips

    ReplyDelete
  2. Thank you i like your blog
    [url=https://golsarmusic.ir/%d8%b3%db%8c%d9%86%d8%a7-%d9%be%d8%a7%d8%b1%d8%b3%db%8c%d8%a7%d9%86-%d8%b4%da%a9%d8%a7%d9%81/]سینا پارسیان شکاف[/url]
    [url=https://golsarmusic.ir/%da%a9%d8%a7%d9%85%db%8c-%db%8c%d9%88%d8%b3%d9%81%db%8c-%d8%b3%d9%86%db%8c%d9%88%d8%b1%db%8c%d8%aa%d8%a7/]کامی یوسفی سنیوریتا[/url]

    ReplyDelete
  3. I'm so glad and enjoyed your BLOG, It is very informative on the subject or topic, and Thanks For Sharing this post.Xanax sale

    ReplyDelete
  4. This is just what I'm looking for: a great site with interesting material. Thank you for creating this website; I will return. I seldom come across blogs.

    ReplyDelete
  5. Sodium polyacrylate is a sodium salt that is made up of polyacrylic acid. This superabsorbent polymer comes with the ability to absorb about 100 to 1000 times its mass in water.

    sodium polyacrylate price

    ReplyDelete

  6. Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck.
    essay on cristiano ronaldo

    ReplyDelete
  7. Hi....
    What are some examples of cross site scripting attacks? ... instead of clicking on it visit CNN's main site and use its search engine to find the content.
    You are also read more Apply Free Home Loan

    ReplyDelete