I do not know how but somehow I ends up on Mozilla's add-ons site. The site provides logged-in user an option or feature to create collections. According to Mozilla, "collections are group of similar add-ons that anyone can create and share". The collections are publicly view-able because site provides a unique URL per collection. The site has a form (available here) having fields like Name, Description and the add-ons for the creation of collection. The Name field of the collection form was vulnerable to a stored XSS.
I created a collection having a Name "xxxxxxxx'yyyyy</img in order to see the behavior of site regarding special characters in the Name. The collection can be seen here: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/xxxxxxxx-yyyyy-img/. The screen-shot shows the reflection of our interest i.e., as a part of <title> tag. One can see in the screen-shot that < is not encoded or filtered in an HTML context i.e., <title> tag around the reflection of probe string.
For XSSing, when you're in <title> tag and < is not encoded or filtered then by simply closing the title tag prematurely with the help of </title> does the job for you and after that one can execute JavaScript code of his or her choice. The payload I used for XSS looks like </title><svg/onload=confirm(document.domain)//. The screen-shot shows the persistent XSS. The URL where it can be seen at that time (before fixed is deployed) is: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/a-img-src-1-gif-onerror-alert/. The stored XSS is now fixed. Isn't it that simple :)
I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.
Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.
1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:
I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.
Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.
1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:
2) Self-XSS in Mozilla Support Mobile Site's Main Search Bar: The reported bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1238252 and the deployed fix can be seen here: https://github.com/mozilla/kitsune/commit/8eefb30593013e1fb69ed4b4724ef5d457e020bf
This comment has been removed by the author.
ReplyDeleteFeel the power really a great work Sir !!
ReplyDeleteWish I can also do these things :(
RRB Admit card 2016
ReplyDeleteAll latest updates for rrb result 2016 can visit the official rrb answer key 2016 website. There are links for rrb answer key and also for rrb result. Once you have checked your reet result 2016 you will be able to check reet result also. These are various portals reet result 2016 and here are the links for ctet result 2016 are here
ReplyDelete
ReplyDeleteI am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly
sharing with us that awesome article you have amazing blog.....
SAP Success Factors Training In Hyderabad
All Railway Non Technical Written exam appeared candidates need to check following result 2016: -
ReplyDeleteRailway RRB Siliguri NTPC Results 2016
RRB Thiruvananthapuram NTPC Results 2016
RRB Secunderabad NTPC Results 2016
Railway RRB Ranchi NTPC Result 2016
Railway RRB Muzaffarpur NTPC Results 2016.
RRB NtpC Result Declared very soon pupil check Result
ReplyDeleteThanks for providing this information really it is helpful
ReplyDeleteGreat Article! I guess this blog is one of the informative blog i ever seen.
Happy Ganesh Chaturthi 2016 wallpapers, Happy Ganesh Chaturthi 2016 Images
Happy Ganesh Chaturthi 2016 Photos,Happy Ganesh Chaturthi 2016 HD Wallpapers
Happy Ganesh Chaturthi 2016 Quotes, Happy Ganesh Chaturthi 2016 Wishes
Happy Ganesh Chaturthi 2016 Messages,Happy Ganesh Chaturthi 2016 Songs
Happy Ganesh Chaturthi 2016 Puja
its really informative article and i love to read your article please keep sharing such a useful articles Result 2017, Exam Result 2017
ReplyDeleteNice details Download RRB Thiruvananthapuram NTPC Result that have announced today from here.
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteVery most awaited RRB Thiruvananthapuram NTPC Result 2016 going to be releases out. Move to download RRB Thiruvananthapuram NTPC Result 2016 as here.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteOn the off chance that you have antivirus firewall programming introduced on your PC framework, you will have relative certainty that your PC will be secured from infections, and also appreciate firewall insurance. http://how-to-remove.org/malware/browser-hijacker-removal/easyopenweb-com-removal/
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteEscorts Services Hyderabad
ReplyDeleteEscorts Services Chennai
Escort Services Hyderabad
Escorts Services Bangalore Excellent article! We will be linking to this particularly great post on our website. Keep up the good writing.|
Escorts Services Chennai
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteescorts service in Kolkata
ReplyDeleteescorts service in Kolkata
ReplyDeleteprintable valentines day cards
Happy Valentines Week
Happy Chocolate Day 2017
Hug Day Messages
Valentines Week
2
ReplyDeleteCHE FACEVA SESSO CON UN BAMBINO DI 11 ANNI A RAVENNA. COME AVRETE NOTATO NEL VIDEO, LA PEDOFILA TANTO QUANTO, ANSELMA DELL'OLIO, DAVA DEL GENIO AL SUO COMPARE PEDERASTA GIUSEPPE LAZZARI. IN QUANTO PARTE DELLA STESSA SETTA SATANISTA E PEDOFILESCA DI SILVIO BERLUSCONI, GIULIANO FERRARA, PAOLO BARRAI DI CRIMINALISSIMA WORLD MAN OPPORTUINITES LUGANO ED IL CITATO NOTO AVVOCATO SODOMIZZA BAMBINI: DANIELE MINOTTI DI GENOVA E RAPALLO, PURE AGENTE SEGRETO IN COPERTO, DI TIPO ASSASSINO. SI, ASSASSINO, PER OVRA E GESTAPO PUBBLICHE E PRIVATE DI SILVIO BERLUSCONI ( VOLETE PROVE ED INIDIZI? IAMM BELL, IA'....GUARDATE QUESTI LINKS, PLEASE.... GUARDATE COME STO PEDERASTA INCULA BAMBINI DI DANIELE MINOTTI, AVVOCATO CRIMINALISSIMO DI RAPALLO E GENOVA, SEMPRE DIFENDA SUOI DEPRAVATI "COLLEGHI", OSSIA VOMITEVOLI PEDOFILOMOSESSUALI COME LUI
http://www.lettera43.it/cronaca/adescava-minorenni-sul-web-miltare-a-processo_43675123449.htm
http://genova.repubblica.it/cronaca/2014/02/26/news/sesso_virtuale_in_cambio_di_soldi_per_videogame-79717213/
http://www.ansa.it/liguria/notizie/2014/06/20/adescava-minori-sul-web-condannato_36c57304-90aa-4c7f-8463-c7d610ed10dd.html
http://iltirreno.gelocal.it/massa/cronaca/2013/04/19/news/casolare-a-luci-rosse-il-pm-7-anni-e-mezzo-all-ex-dipendente-nca-1.6917147
E QUI A SEGUITO, LEGGETE, SEMPRE, PLEASE, LA TESTIMONIANZA DI STEFAN CUMESCU, CHE DA BAMBINO FU STUPRATO, FU SODOMIZZATO A SANGUE, FU SODOMIZZATO A MORTE, DAL BASTARDO NAZIPEDERASTA DANIELE MINOTTI, MASSONE NEO PIDUISTA, AVVOCATO DI MAFIOSI E CRIMINALI DI OGNI, DI GENOVA E RAPALLO
http://www.devsuperpage.com/search/Articles.aspx?hl=en&G=10&ArtID=1908142&KeyWords= ).
ED ECCO DUE TESTI CHE CHIARISCONO QUANTO IL REPELLENTE PEDOFILO INCULA BAMBINI, DANIELE MINOTTI STESSO, DA SEMPRE, RICICLI PURE SOLDI ASSASSINI DI COSA NOSTRA, CAMORRA E NDRANGHETA! A GO GO!
http://grokbase.com/t/python/python-list/148jckyh1w/avvocato-pedofilomosessuale-ed-assassino-daniele-minotti-facebook-oltre-che-nazi-megalava-euro-mafiosi-e-come-detto-mandante-di-omicidi-o-suicidate-stalker-di-eroe-civile-michele-nista-su-ordine-di-tiranno-fasciocamorrista-silvio-berlusconi
http://anti-matrix.org/Convert/Articles_Conspiracy/Conspiracy/Conspiracy-Selected-Articles-140730152020.html
PRESTO SCRIVEREMO TANTO, MA DAVVERO TANTO, GIORNO E NOTTE, A TURNO, PER DECENNI E DECENNI, GLI INTERI TESTI, (A) DEL POVERO EX BAMBINO STEFAN CUMESCU, SODOMIZZATO QUASI A MORTE, DAL VERMINOSO BASTARDO PEDOFILO AVVOCATO DANIELE MINOTTI DI RAPALLO, E (B) DI COME LO STESSO RICICLI CASH ASSASSINO, DI COSA NOSTRA, CAMORRA E NDRANGHETA DA SEMPRE!!!
This comment has been removed by the author.
ReplyDeleteLooking for professional hacking services, with confidentiality and little to no trace?
ReplyDeleteConact Us for consultation
electronicshub@consultant.com
Or Visit Our Website below to get more details on our websites and see blacklisted hackers
wmark0690.wixsite.com/cryptech