Note:All websites owners where informed more than a week ago about the vulnerabilities I have "accidentally" found.
The purpose of this information is educational only!




In the last week I was playing with some websites trying to find out if they are exposed to any XSS attacks.
Among those websites was also www.monster.com. I know that in the past years Monster had big issues regarding security. They were hacked three times and a huge amount of data was stolen back then. Well...what I have discovered is that they still have vulnerabilities, specially XSS ones. Their filtering system has flaws, considering that it will remove with success <script>, <object>, <iframe> tags but it fails on removing <img>, <html>, <body> and <?import>.
Based on the above mentioned things I created a "Job Seeker" account with a fake CV and in the content of that CV I have inserted the following script:

<HTML><BODY><?xml:namespace prefix='t' ns='urn:schemas-microsoft-com:time'><?import namespace='t' implementation='#default#time2'><t:set attributeName='innerHTML' to='XSS&lt;script DEFER&gt;(function(){alert("Here you can do very nasty things!")})()&lt;/script&gt;'></BODY></HTML> 

When I previewed the CV...voila, the alert dialog appeared. In this way I was able to hijack the user session by making use of cookies and extract any information I wanted. The most interesting thing is that in this way some one can hijack the session of any "Employer" which is going to take a look at the CV and with custom "POST" and "GET" commands, infest the job posts of the "Employer" with similar malicious code. In this way a real web could be created starting just from one malicious CV.

There are also issues on Monster website in the section which allows you to upload your CV. You have the option to upload text files and Microsoft Word documents. In a text file I have inserted and <img> tag with an 'onload' event. When the content was rendered on the page and the invisible image was loaded and the 'onload' event was triggered I was able to execute any JavaScript code.