I use to watch Badea’s show “In gura presei” kindly provided as a recorded streaming on antena1.ro

While listening to the stream, I could not resist checking the site design, functionality and of course it’s security.

And voila - it seems that streaming archive section of antena1.ro is XSS-reflection vulnerable.

antena1.ro XSS hack

Code for PoC XSS reflection:

Code:

DISCLAIMER: this post is intended purely for security research and educative purposes as well as intended to urge the vendor to fix the problems posing threats to its customers. Any use of this information is sole responsibility of the reader and the author is not to be held liable for any miss-use of the above informative technical details.

First part article showing ejobs.ro security weaknesses is here

Now we continue with a XSS-with-DNS experiment.

First, it allows as a *feature* for the users to create some kind of subdomains on ejobs.ro which get linked to either Romanian or English version of the CV. Even though it looks like a cool feature, it wasn’t given a thought:

• from security perspective (DNS is sinful as Dan Kaminsky shown countless times)
• other perspectives (subdomain indexing proven by Alex Drambulco to hit badly google page-rank algorithm moving traffic to specially crafted sites)

Now to the experiment part . ejobs.ro and bestjobs.ro are two competing HR/Recruitment firms (at least they pose themselves on the market like this - who knows, maybe the same shadow-person owns both )

Using stored XSS attack with iframe and using the sub-domain feature we get the below:

Ejobs.ro serves Bestjobs.ro

In CV section of your ejobs.ro account, in the Objectives text-box use the following iframe injection code to check the proof:

Code:

For sure they miss something in their security approach towards web application development.

That’s it for now. See you next time.

DISCLAIMER: this post is intended purely for security research and educative purposes as well as intended to urge the vendor to fix the problems posing threats to its customers. Any use of this information is sole responsibility of the reader and the author is not to be held liable for any miss-use of the above informative technical details.