Hacker, Researcher and Author.

StumbleUpon XSS Vulnerability

                                                  

Update: StumbleUpon has fixed the XSS vulnerability, You can read more about it in my blog post "StumbleUpon Fixes The XSS"

Recently i wrote a post on "Detecting Cross Site Scripting Attacks XSS With Fiddler", In that post i explained how fiddler can be helpful in detecting Persistent and Non Persistent Cross site scripting vulnerabilities inside a webapplication, though it generates many false positives, however still it's a very useful piece of tool.


Few days before, while i was hunting for vulnerabilities inside stumbleupon.com, (for those of you who don't know stumbleupon is one of world's largest social bookmarking websites with alexa rank of 149). Fiddler helped me obtain a non persistent XSS vulnerability inside stumbleupon. Here is the screenshot that demonstrates proof of concept:



The vulnerability is reported to stumbleupon, however i haven't had a reply from them, For security reasons i cannot disclose the URL and parameters for the injection, I hope stumbleupon fixes the vulnerability pretty soon. 

4 comments:

  1. what harm you can do with this to stumbleupon

    ReplyDelete
  2. * Social engineering attacks: Can redirects to malicious sites
    * Hijack accounts

    ReplyDelete
  3. Can u diclose that link after it get patched

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.