22
Jan 11StFX Students’ Union “Social Network”
In my previous post, I mentioned how TheU introduced the “Social Network” as an “exclusive network for StFX.” Being critical of TheU, I finally mustered the courage to join this excuse of a web application and take a look. What I found was what I expected.
I found a large amount of XSS, injection, and CSRF vulnerabilities. I rendered a list of about 12 of these vulnerabilities within 10 minutes of using the website (without poking around). I decided to write a small PoC and test one of the XSS vulns. The proof was a small amount of javascript which I placed inside the “About” section in my profile, although nearly each input field I came across within the profile editing module was vulnerable. The javascript would alert() the user to check out my blog, and would then window.location the user to a page. The page would crash Internet Explorer (if the user was using it). If the user was not using Internet Explorer, it would merely display my blog.
It took four days for the developers at the application-mill (like a puppy-mill, but for crappy application clones [like the Facebook clone TheU bought for $10,000]) to see the problem and fix it. This all could have been avoided by sanitizing and validating user input. Utilizing PHP’s htmlentities() function could have been used to fix the problem before allowing public access to the service. The fact that security best-practices have not (and are not) being followed literally makes this $10,000 Facebook clone utterly worthless. The XSS vuln alone made the website worthless. A $10,000 bug, if you will.
To avoid any more reiteration of my thoughts on the matter, I’ll leave you with the following:
