Exploiting unexploitable/self Xss

Their are multiple end points where we can get Xss in web apps but most of time they are self 😛  which require user interaction to trigger so to make it exploitable or Poc we are left with 2 options typically :p

  1. Using Clickjacking
  2. Using CSRF

depending upon which above 2 cases are present we can create poc

So here i will discuss real example in one of the yahoo acquisition “polyvore” which i reported

Their were multiple fields vulnerable to  xss they were self but their page was vulnerable to clickjack so we can exploit by putting a relative xss vector to bypass filter into fields with the help of user by tricking him to play a game of drag and drop .

which is atleast better then standalone poc atleast will convey the team :v
I will create separate post how to do it via csrf (no such fantasy involved in that too  ) but clickjack involve little configs  so just a bookmark post if you got such situations.

So i have just written  custom  .py  script which will create a clickjack to xss poc  .On running the script it will ask you the 2 things

  1. Xss vector to bypass the filter
  2.  Custom clickjack code which you can create from here here

Q.) Why custom clickjack code ? 

Because their are specific textfields ,textarea which are vulnerable and needed to include as a part of game ! you will better undestand in the video below .

Now you can give this file to victim !

Poc in action ?

Script ?

Greetz to #kotowicz for great work in Clickjacking domain .

That’s all guys 🙂

$ logout

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s