Cenzic 232 Patent
Paid Advertising
web application security lab

Digg is Vulnerable to XSS

Personally I stay away from bookmarking sites like the plague, but I do know that if you get a 10 people digging you that means you get about 5x the amount of traffic to your site. For the blackhat SEO crowd this could be interesting because getting 100 people to digg you will make a lot of other people follow your link, just out of curiosity (and assuming the topic sounds interesting enough).

Today I got an email from Digger - aka Clear Rivers who sent me a link to his blog. If you remember he is the one who found the CSRF vulnerability in digg. This, in my mind, is actually more dangerous, because it could be used for phishing, and easily falsifying diggs by doing some AJAXy stuff via the JavaScript itself. The only minor saving grace is that it’s not really HTML injection, but rather parameter injection inside of an input tag, which makes it slightly harder to exploit on a large scale being that it does require some onmouseover stuff.

Of course to get around requiring a user to mouse over the search box you could do something tricky like put it in an iframe and move the iframe to wherever the mouse is on the page it is being called from to execute it, but who’s counting (thanks to Jeremiah Grossman for that particular idea).

But this is a perfect example of why stripping out open and close angle brackets does NOT prevent Cross Site Scripting - a very common mis-nomer. It closes down HTML injection, but parameter injection, DOM based attacks and things like UTF-7. All of which are still wide open. Nice find, Clear River!

Meanwhile Dcrab found a few vulnerabilities in MSN and Amazon. He has not released the exploits, so it’s hard to comment on them, but it’s no surprise.

4 Responses to “Digg is Vulnerable to XSS”

  1. yawnmoth Says:

    Of course to get around requiring a user to mouse over the search box you could do something tricky like put it in an iframe and move the iframe to wherever the mouse is on the page it is being called from to execute it, but who’s counting

    Without using IE expressions or -moz-binding, how would one go about doing this? How can you place anything in an iframe when you can’t break out of the element you’re already in?

  2. RSnake Says:

    Sorry, that probably wasn’t clear. You could set up a page on your website that the user went to. Inside that page, you could have an iframe that contained the HTML injected Digg page. The iframe would move to whatever coordinates would cause your mouse to be over the input feild…. thus allowing you to run JavaScript in the context of the Digg domain to do your falsifying Diggs, etc… Make sense?

  3. yawnmoth Says:

    So, basically, cross-site request forgery?

    Anyway, yup - that explanation does indeed make more sense :)

  4. RSnake Says:

    Half CSRF, yes. The half that is the CSRF is making sure they are logged in so that the XSS will do anything other than just pop up an alert box or something else annoying. The XSS, however, is required to get information from the digg.com context. That way your Ajax calls will be able to read the information from that site, and do something (like make a bunch of fake diggs, or remove accounts or whatever you want to do to the user).