V-Wall sent me a pretty interesting email today about an XSS vulnerability in wapsilon.com. Generally I don’t bother posting these sorts of things, but this one was fairly interesting from a web application security perspective for a few reasons. One, it’s on a WAP site and I really am wondering how XSS will invade other forms of browsers, including those on handheld devices. Secondly it’s interesting because of the particular vector V-Wall used. The malformed IMG tag.
OK so i been doing abit more looking into things on www.wapsilon.com (a site used to surf wap sites) what i’v been looking at is using wap apps to run XSS attacks. An i have found one you may be interested in here.Ill give you the basic over look first then go into it more.Ok so we have www.wapsilon.com that is used to surf wap sites, Ultimatekaos.co.uk is a wap site i used in my tests, its a simple wap chat site, iv been able to use the pm system on there an have www.wapsilon.com run my XSS code.So now more detail on Ultimatekaos.co.uk, like i said its a basic wap chat site, ya can use the forums, send pm’s to people an go in chat rooms etc. Now i first found there me be a change for using code injection on the site when i was trying different input an sent myself a pm with the text ” <> " (no speech marks) an when i went to read the pm there was a error, i was nicely shown the resulting code, an sure enough sat there was my <>. To make sure it was code id injected i did it again but this time used ” < hello me > ” (no speech marks) an sure enough on trying to read the pm i got a error an shown the code, an there sat my code. I made my way to your site an made a list of the vetros that would work with firefox, an went through them trying one by one. The one i came across first that worked was alert(document.cookie) now the code was run an sure enough i got a window BUT it seemed there was no cookie set, so just to check where the code was running i change the code to alert(document.location) which when run showed www.wapsilon.com being the place where the code was being runSo seems as www.wapsilon.com transfers the wap page code through it app for reading an decoding etc, the SCRIPT tags get passed as code to be run by www.wapsilon.com
I know there has been some vulnerabilities in some PDA devices thus far dealing with CSRF in the internal device itself (stealing contact info or other nefarious things) but as PDAs become ubiquitous (as they already have in the asian markets) this will become a bigger and bigger issue. Hold on to your hats!