RETURN $ecure;

Security, Technology and Life

Snap’s shots execute Javascript?

with 3 comments

While checking out the new Themes and Widgets on these WordPress.com blogs, I noticed they had implemented Snap Preview. Snap is a fairly promising search engine, that has the feature of Javascript based link previews on any page.

These ‘Snap’shots are presumably identical to the ones the search engine itself uses.

(It allows for previewing of search results for ease of use)

Now, this is all fairly harmless and seemingly pointless, except that it seems they not only use a Gecko-based browser,(probably Firefox) to spider(or at the least, take their snapshots) sites.

Take a look at this screenshot of a MySpace page with an older persistant XSS on it.

MyXSS

As you can see, there is an Alert() in the Snap Preview.

I knew Google indexes XSS, but actually running the JS seems like bad practice…

Advertisements

Written by Rodney G

01/15/2007 at 5:40 pm

Posted in Uncategorized

Tagged with ,

3 Responses

Subscribe to comments with RSS.

  1. Okay, I’ve gotten a response from Snap. They are apparently aware of this issue and are working on it.
    I also disclosed an XSS vulnerability. But, apparently they don’t like Opera. I get described as (Browser: Unknown Browser).

    kyran

    01/16/2007 at 5:47 pm

  2. Nice find, and http://browsershots.org/ also does the same, or at least they used to – I’m not goign to bother trying again, they have some stupid queueing system, which causes me to have to wait extended periods of time….

    And face it Opera is a largely unknown, or at least unused browser, :p. Ok, ok, Opera is a good brpwser, but its fun to pick on…..well, its fun to pick on Opera & you anyway….:p

    kuza55

    01/23/2007 at 6:54 am

  3. Wow that’s pretty cool find Kyran, really shows that in this XSS field there is alot to be learned for many developers.

    Jungsonn

    01/24/2007 at 3:56 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: