Comments on: Twitter XSS Bug http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/?utm_source=rss&utm_medium=rss&utm_campaign=twitter-xss-bug Thoughts on Security in an Uncivilized World… Fri, 27 Apr 2012 13:53:43 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: xssniper http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-885 xssniper Tue, 20 Jul 2010 14:51:47 +0000 http://xs-sniper.com/blog/?p=292#comment-885 HTTPOnly would have helped defend against session cookie theft. HTTPOnly does not defend against attackers executing actions on behalf of the victim. So if twitter had HTTPOnly enabled, the attacker could still send tweets on behalf of the victim and steal all the content associated with the victim HTTPOnly would have helped defend against session cookie theft. HTTPOnly does not defend against attackers executing actions on behalf of the victim. So if twitter had HTTPOnly enabled, the attacker could still send tweets on behalf of the victim and steal all the content associated with the victim

]]> By: xssniper http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-884 xssniper Tue, 20 Jul 2010 14:17:52 +0000 http://xs-sniper.com/blog/?p=292#comment-884 True, PBWorks PBwiki is a SaaS. There is a possibility that this XSS bug affects other websites as well (depending on what domain the wiki is served from). I looks like debugging functionality may have been enabled on the Twitter PBWiki site (ala stacktrace), which is now turned off. I completely agree on appropriately scoping cookies and locking down crossdomain.xml files. I think twitter should move the apiwiki to a seperate domain if possible True, PBWorks PBwiki is a SaaS. There is a possibility that this XSS bug affects other websites as well (depending on what domain the wiki is served from). I looks like debugging functionality may have been enabled on the Twitter PBWiki site (ala stacktrace), which is now turned off.

I completely agree on appropriately scoping cookies and locking down crossdomain.xml files. I think twitter should move the apiwiki to a seperate domain if possible

]]> By: Alexis http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-882 Alexis Tue, 20 Jul 2010 05:53:36 +0000 http://xs-sniper.com/blog/?p=292#comment-882 Good article! If Twitter had been using the HTTPOnly flag on the cookie, would your exploit have worked? I appreciate that HTTPOnly is not honoured by all browsers and that it is not the ideal solution - but that it may help as part of a "defense in depth" approach. Alexis Good article! If Twitter had been using the HTTPOnly flag on the cookie, would your exploit have worked? I appreciate that HTTPOnly is not honoured by all browsers and that it is not the ideal solution – but that it may help as part of a “defense in depth” approach.

Alexis

]]> By: Rob http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-880 Rob Mon, 19 Jul 2010 19:00:51 +0000 http://xs-sniper.com/blog/?p=292#comment-880 Uh oh, xssniper is back. No one is safe. You've been forewarned MW... Uh oh, xssniper is back. No one is safe. You’ve been forewarned MW…

]]> By: Stephen Sclafani http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-878 Stephen Sclafani Mon, 19 Jul 2010 16:36:09 +0000 http://xs-sniper.com/blog/?p=292#comment-878 apiwiki.twitter.com is running PBWorks PBWiki SaaS so this XSS was not just in Twitter but every website using the service. I'm assuming Twitter contacted PBWorks when you reported the issue to them. The lesson here is that if you are going to use a third party service on a subdomain make sure you properly scope your cookies and also restrict crossdomain.xml access. apiwiki.twitter.com is running PBWorks PBWiki SaaS so this XSS was not just in Twitter but every website using the service. I’m assuming Twitter contacted PBWorks when you reported the issue to them.

The lesson here is that if you are going to use a third party service on a subdomain make sure you properly scope your cookies and also restrict crossdomain.xml access.

]]> By: xssniper http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-877 xssniper Mon, 19 Jul 2010 15:58:33 +0000 http://xs-sniper.com/blog/?p=292#comment-877 A single URL uncode was one of the first things I tried, but you're right a double escape with a few unescape() calls would have probably worked just as well eval(unescape(unescape('%25%32%65 Payload with periods %25%32%65'))) A single URL uncode was one of the first things I tried, but you’re right a double escape with a few unescape() calls would have probably worked just as well

eval(unescape(unescape(‘%25%32%65 Payload with periods %25%32%65′)))

]]> By: radi http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/comment-page-1/#comment-876 radi Mon, 19 Jul 2010 13:05:53 +0000 http://xs-sniper.com/blog/?p=292#comment-876 one other approach to try is to URL encode the payload (or even double URL encode) and then use unescape to decode it back one other approach to try is to URL encode the payload (or even double URL encode) and then use unescape to decode it back

]]>