Tuesday, 13 January 2015

XSS on Vimeo

http://developer.vimeo.com had a flaw in one of their inputs.

Here is how it works:

They have an input where you can add a url and it will fetch an image from anywhere and display it as a logo for your app:


Apart from the XSS, they weren't filtering to accept only image links.

The poc XSS:

http://alex.avlonitis.me/images/face.png' onmouseover="onmouseover="alert(document.domain)"

The input break: