Aug 14, 2010

XSS found in Linkbucks.com

Linkbucks.com website was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.


Vulnerability Description:
==================
Linkbucks.com is a famous advertising network site that brings web users, websites and marketers together. The XSS vulnerability is found in the Default.aspx page. Script can be injected to the Message and Returnurl parameters. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session. Unvalidated redirection and forwarding is also possible.

Vulnerability testing:
===============
Vulnerable URL: http://www.linkbucks.com/Default.aspx?
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3

A simple "alert("You are hACked by w01f")" script was injected to the "Default" page. It was executed and display on the web browser. Malicious script could be executed using this method.



Exploit Code using "alert": Download

- Update on 19 Aug

Below is the video demonstration on exploiting the XSS vulnerability using redirection. It will redirect to my blog. Hacker can redirect to a spoofed Linkbucks site with malicious code.



Exploit Code using redirection: Download

Remediation:
==========
The Message and ReturnURL parameters need to be properly sanitized after a user's logging out. The Linksbuck support team was contacted on the vulnerability. The support ticket is "#KHT-97974-227" but so far no fixed was done.