XSS Exploiting via Old Browsers Flaw‏ on Pinterest.com

The flaw is an Image XSS using the JavaScript directive affecting the following browsers
[IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02].
Although new browsers have already patched this issue, it is still a security flaw.
According to a research here http://www.ie6countdown.com/
6.1% of the world’s population still uses IE6
22.2% of population in china also still uses IE6

The reflected xss is located here
The value of the parameter ‘media’ will be inserted into the img src.

<img src="javascript:alert(1)" class="pinPreviewImg" style="">

Hence javascript will be executed



Freelancer.com Stored XSS

On the 8th of August 2013, I reported a persistent cross site scripting vulnerability on freelancer.com
The bug is located in the picture upload function of the site. Attackers can basically create an image file with the attacking vectors. For eg, renaming a normal png file to <img src=”” onerror=”javascript:alert(1)”>.png and just uploading it to the site. The site will echo out the name of the image, thus javascript will be executed.

The bug was fixed on 27/08/2013

Freelancer.com Bug bounty program includes:
1) A freelancer.com t-shirt.
2) Listed on the site Hall of Fame. – http://www.freelancer.com/info/security-hall-of-fame.php
3) A whitehat hacker badge for your freelancer’s profile. -http://www.freelancer.com/u/wuming69.html

Freelancer.com Global Rank: 534



IP Board <3.4.2 – Persistent (Stored) Cross Site Scripting Vulnerability

IP Board – Persistent (Stored) Cross Site Scripting Vulnerability
# Date: December 2012
# Exploit Author: Wuming tgh / Anakorn Kyavatanakij
# Vendor Homepage: https://www.invisionpower.com/
# Software Link: https://www.invisionpower.com/
# Version: Affecting all versions below 3.4.2 (Fixed)
# Tested on: Linux,Windows 7

Critical Stored XSS on imgur.com

Alexa Ranking: 90
A persistent cross site scripting vulnerability locating in the private message feature of the site. The body message part is vulnerable. Attackers could use </textarea> tag to end the textarea tag and start executing malicious codes. Attackers can simply send a private message to anyone. When a victim views the message, javascript will be executed.
Talking with Alan Schaaf (CEO of imgur) made my day. He’s nice and have a good sense of humour!
Reported on October 12 2012 and Fixed on October 13 2012.


Critical Stored XSS on wikihow.com

The vulnerability is located in the real name parameter during registration. During registration, attackers could insert malicious payloads into the ‘real name’ parameter. Basically, every page that the name of the attacker account gets printed will execute the malicious code. It can also be use with XSRF to further exploit the vulnerability.
This vulnerability is reported on 10 November 2012 and fixed on 24 November 2012.
The bug fixing process went very smoothly, thanks to the great engineer team!