Tuesday, July 2, 2013

Issuu DOM XSS

For those who don't know Issuu...
Issuu is an online service that allows for realistic and customizable viewing of digitally uploaded material, such as portfolios, books, magazine issues, newspapers, and other print media. It integrates with social networking sites to promote uploaded material. While most of the documents are meant to be viewed online, some can be downloaded and saved as well. Uploaded print material is viewed through a web browser and is made to look like a printed publication with an animated page flip option. 
I found out that was possible to inject a DOM XSS vector on their code. The vulnerable code was present at embed.html in the following line:
document.write('<div data-configid="' + location.hash.replace('#', '') + '" class="issuuembed"></div>');
location.hash.replace wasn't properly escaped and could be used to lauch DOM XSS attacks by malicious users using sink document.write. This could be exploited in phishing attacks or to trick innocent users to click on malicious links (with malware).

Proof of concept:
http://e.issuu.com/embed.html#1200954/2011806"><a href=# onmouseover=alert(1);>Click here</a><div x="


This DOM XSS vectors could be modified to work on each browser.

Timeline:
17 Jun 2013: Reported to Issuu
17 Jun 2013: Issuu reported that they'll fix it ASAP
25 Jun 2013: Issuu reported that they fixed it
01 Jul 2013: Full disclosure

No comments:

Post a Comment