Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection

**[s]** · 01-05-2012, 11:32 AM

——————————————————————
0x1 Title: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection Vulnerability
0x2 Script Link: https://mobile.twitter.com/settings
0x3 Author: Sandeep kamble
0x4 Reported: December 28 ,2011
0x5 Vulnerability Fix date : Jan 05 ,2012
0x6 Public Release: Jan 05 ,2012
0x7 Browser : FireFox , IE
0x8 OS : Win7 , Ubantu
——————————————————————

Description of script:

Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address.

Affected script URL:

Code:

URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name

Vulnerability Description:
1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ):

Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page.

2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored )

HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages.

Exploit Description + Proof of Concept:

Code:

URL #1: https://mobile.twitter.com/settings/name

Title #1: Stored HTML Injection Vulnerability

In the above URL there is one input box to change the name. The HTML code of the input box is following.

As the twitter allow only 20 Characters in the name filed.
If we try executing the malicious HTML Code then HTML code look like as follows

Name: image001.png
Views: 5106
Size: 7.2 KB

Code:

HTML Code : “><marquee>sandeep

Name: image003.png
Views: 5089
Size: 7.4 KB

Malicious HTML code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

Name: image005.jpg
Views: 5222
Size: 10.0 KB

Code:

URL #2: https://mobile.twitter.com/settings/name

Title #2: Cross Site Scripting and HTML Injection Vulnerability

In the above URL there is one input box to change the username. The html code of the input box is following.

In the input box we can execute the JAVA script as well as html Code so that is vulnerable to Cross site scripting and HTML Code injection Vulnerability

Name: image008.jpg
Views: 5072
Size: 10.6 KB

Code:

JS : “><script>alert(document.domain)</script>

Name: image009.png
Views: 5075
Size: 7.7 KB

Malicious JS code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

Name: image012.jpg
Views: 5203
Size: 18.3 KB

Similarly we can execute HTML Code but it is not stored HTML Code Execution.

Name: image013.jpg
Views: 5162
Size: 13.7 KB

Check Out Video Here

Countermeasure

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization

Warm Regards,
Sandeep Kamble
www.sandeepkamble.com

**AnArKI** · 01-05-2012, 11:49 AM

Sandeep u r on a roll!!!.....excellent find

**amolnaik4** · 01-05-2012, 01:37 PM

very nice sandeep....i'm sure you'll find a space at Twitter / Security
Congrats!!

**[s]** · 01-05-2012, 02:22 PM

@Ankari thanks a lot ... @amol sir , yes i am waiting for it ..

**prashant_uniyal** · 01-05-2012, 05:27 PM

Great One bro..!!! Congrats

Thread: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection

LinkBack

Thread Tools

Search Thread

Display