Comments on: The Pownce Worm (Yet Another Potential AJAX Worm)

By: pdp

pdp — Wed, 07 May 2008 14:52:32 +0000

true, the POC was written exclusively for FF.

By: ynnhoj

ynnhoj — Wed, 07 May 2008 09:13:54 +0000

This is not working with every browser. Because atob() is not standard in JavaScript. Probably it could work withe unescape().

By: tweetycoaster

tweetycoaster — Sat, 16 Feb 2008 18:32:54 +0000

I found plaxo.com also xssable and wormable when I test simple and plain xss stream as to First Name entry field.

By: Acidus

Acidus — Fri, 15 Feb 2008 14:09:13 +0000

got it. thanks

By: pdp

pdp — Thu, 14 Feb 2008 23:57:33 +0000

Acidus, your question makes perfect sense. There is a second <script> </script> text entry which closes both and fixes the code so that it runs perfectly fine. However, in some cases like where the profile needs to be xssed for unauthenticated users you have to use */<script>/* as this strings is repeated several times across the page. And you need to do that because of a Google Analytics breaking the end of script and making the code not executing at all. But as I said this is only applicable for unauthenticated users. Does that make sense? I guess it needs more detailed explanation.

By: Acidus

Acidus — Thu, 14 Feb 2008 22:30:03 +0000

Hmmm, perhaps I’m missing something. I see how you use a start SCRIPT tag and then a code comment to blank everything between the injection point and the “user supplied but sanitized” data. I also see how us end the “user supplied but sanitized” data with a code comment to blank out everything after the “user supplied but sanitized.”

But where is the end script tag? You JavaScript will not run unless the SCRIPT tag is closed. And assuming there is a end SCRIPT tag on the page after your “user supplied but sanitized” data, you will get an unterminated comment syntax error for that script block. The only way this will work is if there is a script tag later in the page that has a closing code comment AND the rest of the code will not invoke a syntax error

I hope this is making sense! Take a look at the HTML on http://msblabs.org/filedump/frag.html

The injected code alert(555) can only run because later in the HTML their is a SCRIPT block that can close both the open code comment and the open SCRIPT tag. Was that the case in the site you were exploiting?

By: Adrian Pastor

Adrian Pastor — Thu, 14 Feb 2008 09:33:25 +0000

This is a nice example of combining two vectors in order to accomplish fully working JS injection: an unfiltered - but limited by length - field, and a filtered but unlimited by length field.

By: InfoSecNirvana

InfoSecNirvana — Thu, 14 Feb 2008 02:36:57 +0000

Nice job. I mentioned Pownce in my blog earlier this week as one of the applications that corporate information security people need to worry about. http://infosecnirvana.blogspot.....-leak.html

By: Mauvis

Mauvis — Wed, 13 Feb 2008 21:54:12 +0000

I thought this was a cool read and something we should all look out for while making Air apps. Thanks for the post!

By: pdp

pdp — Wed, 13 Feb 2008 18:00:27 +0000

yes leah, the vendor (Pownce) was responsibly contacted about the issue and a patch was released to cover the whole before we’ve made our findings public. but just to stress out so that everybody knows.

we’ve contacted the vendor about the issue and as a result a patch was released before we’ve made our findings public! the vendor’s response was remarkably quick.

By: Leah Culver

Leah Culver — Wed, 13 Feb 2008 17:56:28 +0000

This has been fixed already.

By: pdp

pdp — Wed, 13 Feb 2008 17:44:10 +0000

well, credits due to RSnake for coming with this brilliant proof of concept script. 10x R… it works well.

By: fodznipor

fodznipor — Wed, 13 Feb 2008 16:39:04 +0000

Aaack! If you’re going to inflict us with a picture of Sylvester Stallone in a wig and an Hawaiian shirt, at LEAST give us a barf-bag first! :-D

By: vindic

vindic — Wed, 13 Feb 2008 10:13:01 +0000

amazing find, thnx pdp :) and /* */ it’s just great way