skip to main |
skip to sidebar
RSS Feeds
ASP.NET, JavaScript, Oracle and SQL articles and code.
ASP.NET, JavaScript, Oracle and SQL articles and code.
12:35 AM
Posted by Michael Heliso
Note:All websites owners where informed more than a week ago about the vulnerabilities I have "accidentally" found.
The purpose of this information is educational only!
In the last week I was playing with some websites trying to find out if they are exposed to any XSS attacks.
Among those websites was also www.monster.com. I know that in the past years Monster had big issues regarding security. They were hacked three times and a huge amount of data was stolen back then. Well...what I have discovered is that they still have vulnerabilities, specially XSS ones. Their filtering system has flaws, considering that it will remove with success <script>, <object>, <iframe> tags but it fails on removing <img>, <html>, <body> and <?import>.
Based on the above mentioned things I created a "Job Seeker" account with a fake CV and in the content of that CV I have inserted the following script:
<HTML><BODY><?xml:namespace prefix='t' ns='urn:schemas-microsoft-com:time'><?import namespace='t' implementation='#default#time2'><t:set attributeName='innerHTML' to='XSS<script DEFER>(function(){alert("Here you can do very nasty things!")})()</script>'></BODY></HTML>
April 28, 2011 at 3:12:00 AM PDT
Hello my friend! I want to say that this article is awesome, nice written and include almost all vital info. I would like to see more posts like this.