Tuesday, February 26, 2013


After Panda Security, AVG, Kaspersky and continuing my project to find XSS flaws on antivirus vendors, I found out a DOM XSS vulnerability located at the McAfee website:
 A user could inject code for example:
<img src=f00bar onerror=prompt("xss");>
...on the input text in the form "Search the Threat Library".
When changing the select box it will get the XSS vector executed on the browser.

This "self-XSS" it's a minor security issue but still can be used to trick other users and a good way to check the security policies of McAfee.

 Keep in mind that this issue has been fixed.
My congratulations on the good and fast support from McAfee security team.

Wednesday, February 13, 2013

DOM XSS vulnerabilities on Booking.com

Booking.com B.V., part of Priceline.com (Nasdaq: PCLN), owns and operates Booking.com, the world leader in booking accommodation online. Each day, over 400,000 room nights are reserved on Booking.com, and the website attracts over 30 million unique visitors each month from both the leisure and business sectors worldwide.

On January I started receiving some phishing emails using Booking.com as bait to spread malware.
If these malicious users had the right tools - like for example a XSS vulnerability - they could infect more users. That would not be good...

After browsing a little bit the website I found out two DOM XSS vulnerabilities.
Both vulnerabilities we're explored due to the lack of escaping the location.hash and using an older version of jQuery. That way it was possible for user to inject code into a victims browser DOM.

Proof of concept #1 (iPhone landing)
http://www.booking.com/general.en-us.html?sid=c81e148e3eceef6c8e2073bc50258a1c;dcid=1;tmpl=docs/iphone_landing&=&#<img src=x onerror=prompt("xss");>

Proof of concept #2 (FAQ section)
http://www.booking.com/general.en-us.html?dcid=1&sid=c81e148e3eceef6c8e2073bc50258a1c&tmpl=docs/faqmain#<img src=x onerror=prompt("xss");>

Both issues are now fixed.

I only was able to receive any reply from Booking.com team when contacting them via Twitter. After that I established a conversation with their security team who were very effective and fast, solving both vulnerabilities on a couple of hours. They reported that they're working on making the site safer everyday and appreciate any assistance.
Thanks for that.

Friday, February 8, 2013

eBay XSS vulnerability

How about finding a vulnerability in the biggest online marketplace in world?

When searching on eBay I found out that it's possible execute a XSS vulnerability on their job search section.

Proof of concept:
On Ebay Careers, you clicked on the Search Openings and on the Requisition No. you wrote the XSS vector:
<img src=x onerror=prompt("xss");> 

Clicked Search. The following screen doesn't execute the XSS but when you click:
...it would open a new window with the XSS executing.

This issue has been fixed and some pages removed.

I want to thank eBay security team for the fast reply and putting me on their Security Researchers Acknowledgment page. By the way, I'm the first portuguese guy in the list...

Tuesday, February 5, 2013

Disable Blogger.com toolbar

When playing around with my blog I discovered that is possible to temporary disable the blogger.com toolbar just adding a new parameter to the URL.

This is not a security issue and should not be considered a threat to any user or blog.
Think of it like a easter egg :-)

It's quite simple to replicate.
Just adding:

... to the URL of any blogger account (works also with a domain associated to blogger) will disable Google Plus buttons and the toolbar.

Google reported that will fix this issue as soon as possible.