Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection

January 5, 2012

————————
0x1 Title: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection Vulnerability
0x2 Script Link: https://mobile.twitter.com/settings
0x3 Author: Sandeep kamble
0x4 Reported: December 28 ,2011
0x5 Vulnerability Fix date : Jan 05 ,2012
0x6 Public Release: Jan 05 ,2012
0x7 Browser : FireFox , IE
0x8 OS : Win7 , Ubantu
——————————————————————–

Description of script:

Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address.

Affected script URL:

URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name

Vulnerability Description:

1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ):

Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page.

2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored )

HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages.

Exploit Description + Proof of Concept:

URL #1: https://mobile.twitter.com/settings/name

Title #1: Stored HTML Injection Vulnerability

In the above URL there is one input box to change the name. The HTML code of the input box is following.

Image1

As the twitter allow only 20 Characters in the name filed.
If we try executing the malicious HTML Code then HTML code look like as follows

HTML Code : “>sandeep

Image2

Malicious HTML code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image4

URL #2: https://mobile.twitter.com/settings/name
Title #2: Cross Site Scripting and HTML Injection Vulnerability

In the above URL there is one input box to change the user name. The html code of the input box is following.

image7

In the input box we can execute the JAVA script as well as html Code so that is vulnerable to Cross site scripting and HTML Code injection Vulnerability

JS : ” > < s cr i pt> a lert (document.domain)< / scrip t >

image9

Malicious JS code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image100

Similarly we can execute HTML Code but it is not stored HTML Code Execution.

image5

Check Out Video Here

http://dl.dropbox.com/u/18007092/twitter.swf

Countermeasure

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization


Warm Regards,
Sandeep Kamble
www.sandeepkamble.com

We Provide Penetration Testing


We Provide Penetration Testing