When using Alexa.com website I found a reflected DOM XSS that could be used by malicious users to trick innocent visitors.
This vulnerability was present at tags.js from a remote location and the variable "tagSrc" lacked the proper sanitizing.
Vulnerable code:
t.tagSrc = '<div align="center">'+t.tagSrc+'</div>';
document.writeln(t.tagSrc);
When modifying the URL you can inject the code you want:
http://www.alexa.com/tfBuster.html#?flashVer=11&ver=1.25&th=11117008646&tagKey=4138765495&site=alexacom"></script><script>alert(document.cookie);</script><!--&adSpace=miscellanious¢er=1&env=display
This issue already has been fixed but it took more than 3 months. It's strange that a company that's so big couldn't fix this type of vulnerability faster.
Malicious users could use this DOM XSS to spread phishing campaigns with a higher success rate.
Timeline:
13 December 2012: Reported this issue.
13 December 2012: Alexa replied and forwarded to engineering team.
26 December 2012: I requested a follow-up. They replied that still unpatched.
15 March 2013: Alexa replied that the DOM XSS has been fixed.
I too found this, but they failed to respond to my emails.. :(
ReplyDeleteDeepankar, I agree sometimes it's hard to reach the right department. Thanks for sharing your comment.
ReplyDelete