Cenzic 232 Patent
Paid Advertising
web application security lab

Obscure XSS Vector works on Wapsilon.com

V-Wall sent me a pretty interesting email today about an XSS vulnerability in wapsilon.com. Generally I don’t bother posting these sorts of things, but this one was fairly interesting from a web application security perspective for a few reasons. One, it’s on a WAP site and I really am wondering how XSS will invade other forms of browsers, including those on handheld devices. Secondly it’s interesting because of the particular vector V-Wall used. The malformed IMG tag.

OK so i been doing abit more looking into things on www.wapsilon.com (a site used to surf wap sites) what i’v been looking at is using wap apps to run XSS attacks. An i have found one you may be interested in here.Ill give you the basic over look first then go into it more.Ok so we have www.wapsilon.com that is used to surf wap sites, Ultimatekaos.co.uk is a wap site i used in my tests, its a simple wap chat site, iv been able to use the pm system on there an have www.wapsilon.com run my XSS code.So now more detail on Ultimatekaos.co.uk, like i said its a basic wap chat site, ya can use the forums, send pm’s to people an go in chat rooms etc. Now i first found there me be a change for using code injection on the site when i was trying different input an sent myself a pm with the text ” <> &quot (no speech marks) an when i went to read the pm there was a error, i was nicely shown the resulting code, an sure enough sat there was my <>. To make sure it was code id injected i did it again but this time used ” < hello me > ” (no speech marks) an sure enough on trying to read the pm i got a error an shown the code, an there sat my code. I made my way to your site an made a list of the vetros that would work with firefox, an went through them trying one by one. The one i came across first that worked was alert(document.cookie) now the code was run an sure enough i got a window BUT it seemed there was no cookie set, so just to check where the code was running i change the code to alert(document.location) which when run showed www.wapsilon.com being the place where the code was being runSo seems as www.wapsilon.com transfers the wap page code through it app for reading an decoding etc, the SCRIPT tags get passed as code to be run by www.wapsilon.com

Here are his screenshots. input vector and the XSS vulnerability.

I know there has been some vulnerabilities in some PDA devices thus far dealing with CSRF in the internal device itself (stealing contact info or other nefarious things) but as PDAs become ubiquitous (as they already have in the asian markets) this will become a bigger and bigger issue. Hold on to your hats!

7 Responses to “Obscure XSS Vector works on Wapsilon.com”

  1. Raif Says:

    your malformed image tag comment reminded me. slightly related…

    one of my buddies is a web designer and he wanted me to check out this site he was working on to see if there was any way i could get around his filters. long story short, the way i found to get around his filters was a combination of a couple things on your xss cheat sheet. i used a malformed image tag and i had to encode the word javascript just so it wouldn’t get replaced with a # symbol. the resulting persistent xss looked like this:

  2. Raif Says:

    hrm, well, i guess your site gets rid of it…

  3. RSnake Says:

    Hahha, just encode it — &lt; turns into < and so on… or you can post it to the forums.

  4. inc - (v-wall staff) Says:

    Hey RSnake, a few things on here or incorrect.

    1:The site was www.wapsilon.com
    and
    2:The link to wabsilon_input_vector.jpg is forbidden

    ./../INC

  5. RSnake Says:

    Whoops, thanks, V-wall… better late than never (even if it’s by months).

  6. inc - (v-wall staff) Says:

    Hey RSnake. Yes I know it was very late to pick up on it. I was going through the v-wall staff posts on the site, when I noticed the error.

    Id also like to take the time in this comment to say sorry for my last comment as it may have seemed a bit rude and arrogantly worded, my day so far has not been the best but does not make space for me being rude towards over so said plain simple an for every one to read “sorry dude”

  7. RSnake Says:

    Hahah, no problem. I feel bad for having typos in my stuff. I try to keep things as accurate as possible because I know so many eyes are on everything I write. Thanks and don’t worry, I didn’t take it that way.