Sunday, January 20, 2013

AVG vulnerable to DOM XSS


I discovered a DOM XSS vulnerability in AVG and it's located on download section of the oficial website.

Due to the lack of escaping/encoding the URL on the code present on file js_stdfull.js, a user could inject code into the website.

Vulnerable code:
//display the correct tab based on the url (#name)
var pathname = $(location).attr('href');var urlparts = pathname.split("#"); 

Proof of concept:
http://www.avg.com/eu-en/download#"><img src=x onerror=prompt(/xss/);>


This XSS vector worked fine with Chrome but you could changed it to work with other browsers also.
This issue is already been fixed but didn't got any reply from their team.

3 comments:

  1. Dear David,
    your website is very informative, please configure an newsletter option(feed burner or mail chimp) so that we can subscribe to ur blog...

    ReplyDelete
  2. arjun, thanks for your comment. I agree. Already added that option.

    ReplyDelete
  3. Hi david, I would like to know how to identify the DOM objects the application is calling . can u please provide me with some references or such tht would be helpful in learning things.

    ReplyDelete