Tuesday, December 8, 2015

Creative bug which result Stored XSS on m.youtube.com

Hi all!
Its been a long time since I blogged about my finding, so today I'm going to post about my creative bug on youtube.
All start back on April 2015, I was checking Google for some bugs and didn't find anything, so I decided that its time to leave the research beside and go to play MW3 on my playstation 3.
I turn on my PS3 and suddenly I noticed about Youtube application that exists on PS3.
This application let you play music/movie from any where to your PS3.
I started to search documents about it and found that I can share my connect TV with any mobile/tablet/PC and etc.
So I open my PC and found out that I can actually stream my youtube music to my PS. COOL!
I also notice that every person that connected to my WIFI can actually connect it and stream to my PS3....wait! DO WHAT?!
Let me repeat this slow...any user that on my WIFI can see the PS3 name and stream anything to my PS3......:)!
So I fire up my burpsuite, configured my PS3 to use my remote proxy and was ready to capture PS3 requests.
I set new name on my PS3 and capture the request
As you can see the field screen_name can be change to any name with special chars and no check exists. I set it with very simple and known XSS vector Sasi""img src=y onerror=confirm(document.domain) and continue the request. As a result I saw that the name of the screen is now PatrikIsMyFriend""img src=y onerror=confirm(document.domain) without any executed JS.
So..if my creativity was not good so far I came with an idea to change user-agent to be android, cuz hey, you can use this TV name on any WIFI connection. After setting my user-agent I got redirect to m.youtube.com which contains lots of div tags to display content.
I search some Rammstein music and clicked on which TV I want to play the music and XSS was pop up.


As always, Google security team closed the issue within hours!

Thanks for reading!

Sasi