Cross-site Scripting (XSS) on Goodreads.com

-
Recently on an independent research I've found the Goodreads API was vulnerable to a Reflected Cross-site scripting.

The issue happens on their REST API on a callback function parameter. No sanitizing mechanism was found and the parameter is echoed back in the JSON payload, allowing a malicious user to
potentially launch XSS attacks.

I've submitted the issue to the Goodreads' security team and this was quickly fixed.
Goodreads is an Amazon company with  55 millions of users. Their site is ranked 139 in the USA and 336 globally, according to Alexa.

Proof Of Concept:




Vulnerable API calls with XSS payload:

https://www.goodreads.com/book/review_counts.json?callback=%3Chtml%3E%3Cbody%20onload=%22javascript:alert(%27XSS%27)%22%3E%3C/html%3E&isbns=0441172717

https://www.goodreads.com/book/isbn/0441172717?callback=%3Chtml%3E%3Cbody%20onload=%22javascript:alert(%27XSS%27)%22%3E%3C/html%3E&format=json

Vulnerability Disclosure Timeline:
2016-11-11: Goodreads notification
2016-11-11: Goodreads feedback
2016-11-15: Goodreads fix/patch
2016-12-12: Public disclosure

Comments

Post a Comment

Popular posts from this blog

The forgotten JBOSS Admin Console and CVE 2010-1871

-
Image
Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it. A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871 . This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc. I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interes
Read more

A tool to detect Slow HTTP DoS attacks on pcap files

-
Image
Hello everybody, I wrote a python tool to detect Slow HTTP DoS attacks on pcap files: slowdos_detector . This is ideal for post-mortem analysis on captured traffic (pcap files). If you are curious about how to test it, you could leverage slowhttptest  to launch an HTTP DoS attack on your test server, capture the traffic and then use slowdos_detector to show offending HTTP transactions. Enjoy it and ping me if you have questions, issues or suggestions.
Read more