So the other day, I was bored and told a friend of mine that I would try to hack into one of her accounts. I didn’t have a particularly good reason for this, I mainly just wanted to see if I could. She suggested a prominent social networking site which I’ll call X.com.

First, a little a background and disclaimer. The only reason I’m describing this exploit is because as soon as I discovered it, I emailed the site admins and they fixed it within a few hours. This post is intended for educational purposes and to help others make sure that their own sites are secure.

I figured I would try an XSS attack using their instant messaging system, because I knew that they allowed certain tags like <a> and <i> in messages. Basically with an XSS attack, if I’m able to inject my own javascript into your browser, the game is over and I win.

So, the first thing I tried was sending her this message:

Hey, what's up? <script>alert('test')</script>

which unsurprisingly, was sanitized to just:

Hey, what's up?

I knew <img> tags wouldn’t work, so the next thing I tried was

Hey, what's up? Click this <a href="javascript:alert('test')">link</a>

And to my surprise, this did not get sanitized! Meaning that she saw this:

Hey, what's up? Click this link

If you click that link, a little harmless alert box will pop up. Why is that a big deal? Well, if I replace alert with a function to grab her X.com cookie string, and send that string to one of my servers in an ajax request, then I can log in with her account. And just to be sure, I did just that, and was able to sign in as her.

So what’s the moral? Well, the people at X.com are certainly not stupid, but it was a little scary to find out that the second most simple XSS attack I could think of worked on a pretty prominent social networking site. I contacted one of the engineers about this and according to him, the backend was sanitizing the HTML properly, but one of the designers used an unescapeHTML function to support simple styles like <b> and <i>, unknowingly creating this vulnerability. Anytime you unescape HTML, especially when it comes from users, you better be really really sure you know what you’re doing!

Also, this reminded me that a lot of Django developers rely on Django to autoescape their templates. During ajax requests though, if you’re just passing a dictionary of variables back as JSON, make sure that any strings you’re passing back are getting sanitized! Unless the strings are being obtained via render_to_string or something, they’re probably not autoescaped, so just be aware.