Advisory WA-2002-01: Vulnerability in Abcnews.com Stories by ZIP
Code Feature
This is my first advisory in what will more than likely become a series of
similar things on cross-site scripting at major web sites. When we think
of XSS bugs, we think of typical things, search boxes, guestbooks, etc.
"Stories by ZIP Code" was not on my list. :-)
A vulnerability in the way this is handled at abcnews.com results because
the box is not required to contain all-numerical data, and is allowed
arbitrary
length -- and, returned unfiltered when a search fails.
The example URL here will cause a textarea to display below the box. Type
in a JS command and double click to see it working:
http://my.abcnews.go.com/localpageMainHandler?input=%22%3E%3CTEXTAREA+STYLE%
3Dheight%3A300px%3B+width%3D300px+ONDBLCLICK%3Deval%28this.value%29%3E%3C%2F
TEXTAREA%3E&input.x=0&input.y=0
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
Code Feature
This is my first advisory in what will more than likely become a series of
similar things on cross-site scripting at major web sites. When we think
of XSS bugs, we think of typical things, search boxes, guestbooks, etc.
"Stories by ZIP Code" was not on my list. :-)
A vulnerability in the way this is handled at abcnews.com results because
the box is not required to contain all-numerical data, and is allowed
arbitrary
length -- and, returned unfiltered when a search fails.
The example URL here will cause a textarea to display below the box. Type
in a JS command and double click to see it working:
http://my.abcnews.go.com/localpageMainHandler?input=%22%3E%3CTEXTAREA+STYLE%
3Dheight%3A300px%3B+width%3D300px+ONDBLCLICK%3Deval%28this.value%29%3E%3C%2F
TEXTAREA%3E&input.x=0&input.y=0
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown