http://anti-virus.cloudflare.com XSS(Cross Site Scripting) Vulnerability

October 17, 2011

0×1 Site : http://anti-virus.cloudflare.com
0x3 Author : Sandeep Kamble
0×4 Reported : October 12, 2011
0×6 Public Release : October 17 2011
0x7 Status: Fixed

Description :

Anti-virus.cloudflare.com is a service for avoiding spams .
This project to stop attacks and educate visitors with infected computers about how they can clean up their machines.

Affected Variable :
?b_src=

Exploit :
Executing Javascript using the vulnerable variable called as ?b_src= . This attack is commonly know as Cross Site Scripting (XSS)
Anti-virus.cloud + affected script having stored Xss attack which can used for the grabbing the cookies .

POC :

Screen Shot :

Cloud XSS


Countermeasure :

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization

Conclusion

I like to thank the cloudflare Security Team for their quick responses to my reports.

We Provide Penetration Testing


We Provide Penetration Testing