[OWASP-Security101] JSON with XSS and CSRF exploitation.

psiinon psiinon at gmail.com
Tue Apr 23 08:20:15 UTC 2013

Hi Shritam,

This came up recently on the LinkedIn "WAST - Web Application Security
Testing" group , so I'm copying my post from there as I realise not
everyone will use LinkedIn:

"I found an reflected XSS in a website, so I created a POC to show how
serious a problem it could be. Note that I _did_ have permission to test
this site!
The XSS was in the search box (very common) and allowed me to put any
content in I liked.

So I explained that an attacker could post a message to a forum saying
company X is being taken over - see this link for details.
The link would be to something like tinyurl so would not obviously be
Anyone who followed it would be taken to company X's website, which would
apparently confirm that they were being taken over and give a login page
that apparently they could put their credentials in to get more info.
All of that was of course my 'attack' encoded in the URL.
It reused their stylesheets so looked very convincing.

This could have seriously affected company X's share price (which an
attacker could have benefited from), spread disinformation and have
captured a whole load of valid credentials for other websites that company
X maintained.
This was demoed to company X's board and was fixed _very_ quickly :) "

Following the link you posted, it looks like you can essentially inject any
data you want into the page.
This means you can rewrite the page >:)
Its pretty easy to completely change the page using javascript - use
getElementById (or similar) to find elements and then use style="*display*:
*none*;" to hide them.
Then you can inject your own content, like an improbably good deal and a
login form which then steals the users credentials.
You are only limited by your imagination.
Tricking people to click on your link is just a social engineering problem.

An attacker may well try to inject 'drive by malware', so thats something
you can warn your client about.

Finally, you should be careful when posting details of client
This is a public list so you never know who's subscribed ...



On Fri, Apr 19, 2013 at 1:13 PM, Shritam Bhowmick <
shritam.bhowmick at gmail.com> wrote:

> Hello, OWASP,
> I am on a project and trying to actually penetrate (demonstrate) a client
> about the seriousness of an XSS attack. The attack is on a JSON server.
> It's not accepting http methods so that i can deploy a cookie grabber to
> explain him, how serious is the problem
> This is the original link. I would really requst and love to get suggestion
> with what i can more to convey the CTO that this is a serious flaw?
> http://www.snapdeal.com/products/lifestyle-handbags-wallets?q=%3Cb%3Eabcd1%3Cscript%3Ealert%280%29%3C/script%3E%3Cscript%3Ealert%28document.location%29%3C/script%3E%3Cscript%3Edocument.location=%22http://http://http://www.yahoo.com%22%3C/script%3E
> also this:
> www.snapdeal.com/gtcol?pc=
> I refereed to
> http://blog.spiderlabs.com/2012/09/json-hijacking-demystified.html
> but the point is I am not able to decide, what to do with it, is it
> supposed to do a CSRF attack? if, yes, how?
> --
>  Regards
> Shritam Bhowmick
> Security Analyst
> Lucideus Tech Pvt Ltd
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> Follow us @ https://www.facebook.com/LucideusTech<
> http://www.google.com/url?q=https%3A%2F%2Fwww.facebook.com%2FLucideusTech&sa=D&sntz=1&usg=AFQjCNHIUwxfLLaHD-9JP0X99ELv6YzAVA
> >
> For any queries, contact us at
> info at lucideustech.com<
> https://mail.google.com/mail/h/1wlmfo278twm7/?&v=b&cs=wh&[email protected]
> >
> **  © Lucideus Tech Pvt Ltd. C-17 Safdarjung Development Area, Hauz Khas,
> Opposite IIT Delhi Main Gate, New Delhi, India 110016
> The information contained herein (including any accompanying documents) is
> confidential and is intended solely for the addressee(s). It may contain
> proprietary, confidential, privileged information or other information
> subject to legal restrictions. If you are not the intended recipient of
> this message, please do not read, copy, use or disclose this message or its
> attachments. Please notify the sender immediately and delete all copies of
> this message and any attachments. This e-mail message including
> attachment(s), if any, is believed to be free of any virus. However, it is
> the responsibility of the recipient to ensure for absence of viruses.
> Lucideus Tech shall not be held responsible nor does it accept any
> liability for any damage arising in any way from its use.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

More information about the Security101 mailing list