LinkedIn Cross Site Scripting
Posted on 20 November 2015
LinkedIn social network affected by Persistent Cross-Site Scripting vulnerability(XSS) (patched in less than 3 hours) ========================= I. VULNERABILITY ------------------------- LinkedIn social network is affected by Persistent Cross-Site Scripting (stored XSS) vulnerability. II. BACKGROUND ------------------------- LinkedIn is a social networking service and website operates the world's largest professional network on the Internet with more than 187 million members in over 200 countries and territories. More Information: http://press.linkedin.com/about III. DESCRIPTION ------------------------- LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability. The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. The affected resource is http://community.linkedin.com/questions/ask.html , the help center discussion forum. IV. PROOF OF CONCEPT ------------------------- After signing in, go to LinkedIn Help Center( https://help.linkedin.com/app/home/) --> Help Forum(tab) --> Start a Discussion (http://community.linkedin.com/questions/ask.html). In the 'Your Question' field you can enter random chars(min. 10), although its a vulnerable field too. The 'Enter tags' field can have any tags. In the 'Give more Details' field you can put this:- padding padding padding <<a></a>body onload = alert('XSS') > The '<a></a>' tags are important. LinkedIn filters detect and remove content with chars after opening html tag(<), eg: 'aa<body>d' will get modified to just aad. The '<a></a>' go through the filter and get removed resulting in '<body onload = alert(1) >', which executes nicely. Finally, once the question gets posted it(along with the script execution) can be immediately viewed in Help Forum-->Your Discussions or in the questions public list, or the questions page of your tag.(could be easily used for a xss worm!) * POC Video link at end V. BUSINESS IMPACT ------------------------ If a malicious user will find a way to exploit this vulnerability could make other users perform actions that she wanted in the application because the csrf token is useless, since based on the user's session. The vulnerability could be used to spread a XSS worm using help forums. XSS attacks can have a profound impact on an organizations reputation and security, as well as the security of its customers. VI. SYSTEMS AFFECTED ------------------------- The vulnerability affects the LinkedIn network. VII. CREDITS ------------------------- These vulnerabilities have been discovered by Rohit Dua (https://in.linkedin.com/in/rohitdua). (https://github.com/rohit-dua) VIII. DISCLOSURE TIMELINE ------------------------- Nov 16, 2015: Vulnerability acquired by Rohit Dua( https://in.linkedin.com/in/rohitdua). Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security Team. Nov 16, 2015 11:28 PM: Initial vendor notification sent Nov 17, 2015 02:12 AM: Vendor implemented a fix* Nov 18, 2015: Disclosure * LinkedIn sec. team fixed the bug within 3 hours of reporting. IX. Links ------------------------ screenshot:- http://www.rohitdua.com/images/linkedin-xss-screenshot.png injected-code:- http://www.rohitdua.com/images/linkedin-xss-injected-code.png POC Video:- https://www.youtube.com/watch?v=01I9ImHP26o