Hacker, Researcher and Author.

DOM Based XSS In AVG


Lately, i have been researching on DOM based XSS a bit, Recently i found a DOM based XSS in AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.

With that being said, let's take a look at the DOM based XSS POC:




The vulnerability is the result of lack of escaping done in "js_stdfull.js". The following is the screen shot of the vulnerable code causing the DOM based XSS:


Vulnerable code:

 //display the correct tab based on the url (#name) var pathname = $(location).attr('href');var urlparts = pathname.split("#");

I would like to give full credits to David Vieira-Kurz from Majorsecurity.com (@secalert), for helping me sort out the vulnerable code.

Yet another security researcher, David Sopas also found the same issue but on the English version of the site:

http://labs.davidsopas.com/2013/01/avg-vulnerable-to-dom-xss.html

4 comments:

  1. rafay u did not yet write an article on DOM xss ... when are u writing one ?

    ReplyDelete
  2. My hearty apologies, We are working on a white paper on "DOM XSS ATTACKS", which is to be released soon.

    ReplyDelete
  3. Nicely written. Dude, you are the real master of hacker world. I guess you should contact 'Anonymous'? ;) :P :D I am serious! You deserve that!

    ReplyDelete
  4. Sir. Pls post article on How to hack facebook account 2013

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.