I do not know how but somehow I ends up on Mozilla's add-ons site. The site provides logged-in user an option or feature to create collections. According to Mozilla, "collections are group of similar add-ons that anyone can create and share". The collections are publicly view-able because site provides a unique URL per collection. The site has a form (available here) having fields like Name, Description and the add-ons for the creation of collection. The Name field of the collection form was vulnerable to a stored XSS.
I created a collection having a Name "xxxxxxxx'yyyyy</img in order to see the behavior of site regarding special characters in the Name. The collection can be seen here: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/xxxxxxxx-yyyyy-img/. The screen-shot shows the reflection of our interest i.e., as a part of <title> tag. One can see in the screen-shot that < is not encoded or filtered in an HTML context i.e., <title> tag around the reflection of probe string.
For XSSing, when you're in <title> tag and < is not encoded or filtered then by simply closing the title tag prematurely with the help of </title> does the job for you and after that one can execute JavaScript code of his or her choice. The payload I used for XSS looks like </title><svg/onload=confirm(document.domain)//. The screen-shot shows the persistent XSS. The URL where it can be seen at that time (before fixed is deployed) is: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/a-img-src-1-gif-onerror-alert/. The stored XSS is now fixed. Isn't it that simple :)
I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.
Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.
1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:
I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.
Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.
1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:
2) Self-XSS in Mozilla Support Mobile Site's Main Search Bar: The reported bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1238252 and the deployed fix can be seen here: https://github.com/mozilla/kitsune/commit/8eefb30593013e1fb69ed4b4724ef5d457e020bf
This comment has been removed by the author.
ReplyDeleteFeel the power really a great work Sir !!
ReplyDeleteWish I can also do these things :(
RRB Admit card 2016
ReplyDeleteAll latest updates for rrb result 2016 can visit the official rrb answer key 2016 website. There are links for rrb answer key and also for rrb result. Once you have checked your reet result 2016 you will be able to check reet result also. These are various portals reet result 2016 and here are the links for ctet result 2016 are here
ReplyDelete
ReplyDeleteI am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly
sharing with us that awesome article you have amazing blog.....
SAP Success Factors Training In Hyderabad
RRB Result held the different different type of post exam ASM,Good Guard, TA,SC,CA,JAA.
ReplyDeleteAll Railway Non Technical Written exam appeared candidates need to check following result 2016: -
ReplyDeleteRailway RRB Siliguri NTPC Results 2016
RRB Thiruvananthapuram NTPC Results 2016
RRB Secunderabad NTPC Results 2016
Railway RRB Ranchi NTPC Result 2016
Railway RRB Muzaffarpur NTPC Results 2016.
RRB NtpC Result Declared very soon pupil check Result
ReplyDeletermasassamtet asm results A flying jatt Movie Review with up tet marksheet download RPF mahila constable results RRB ntpc 2016 results Download
ReplyDeleteRRB 2016 ntpc results RRB 2016 namewise Results
Mahatet name wise results click here Ptet 2017 exam Results click here
BSTC2017mdsu.org Tnpsc recruitment
hssc.gov.in
reetresults 2017 click here Sarkari naukri how to reach Neemkathana best Happy Birthday cakes For Friends box office collections bigg boss 10 contestants name list resultuniraj cut off Cool whatsapp dp rpsc Recruitment results 2017 jagranjosh.com results ap 10thboard 2017 results click here
free job alerts 2016 Free Mobile Recharge billion day 2016 rpsc 2nd grade teacher Exam Pattern raj gramsevak 2016 application form pdf download gosf sale 2016 Big Billion day 2016 Flipkart Big Billion day 2016
ReplyDeletegate 2017 admit card download
ganesh chaturthi 2017 marathi sms
teachers day 2016 sms
sapna vyas patel figure size
Seo jaipur
india.com news
Thanks for providing this information really it is helpful
ReplyDeleteGreat Article! I guess this blog is one of the informative blog i ever seen.
Happy Ganesh Chaturthi 2016 wallpapers, Happy Ganesh Chaturthi 2016 Images
Happy Ganesh Chaturthi 2016 Photos,Happy Ganesh Chaturthi 2016 HD Wallpapers
Happy Ganesh Chaturthi 2016 Quotes, Happy Ganesh Chaturthi 2016 Wishes
Happy Ganesh Chaturthi 2016 Messages,Happy Ganesh Chaturthi 2016 Songs
Happy Ganesh Chaturthi 2016 Puja
I was lucky enough to get a chance to go on set today to see the ATOM suit up close in person. This was probably one of the coolest and definitely proudest concept I've ever done.
ReplyDeleteRRB NTPC Results
RRB NTPC Cut Off Marks
RRB NTPC Result 2016
RRB NTPC Cut Off Marks 2016
Happy Thanksgiving Day 2016
ReplyDeleteHappy Thanksgiving Wishes 2016
Happy Thanksgiving Images 2016
Thanksgiving History
What is Thanksgiving Day
Thanksgiving Facts 2016
Thanksgiving Day Quotes
ReplyDeleteThanksgiving Wishes
Happy Thanksgiving Images 2016
History of thanksgiving
What is thanksgiving day
Facts about thanks giving
its really informative article and i love to read your article please keep sharing such a useful articles Result 2017, Exam Result 2017
ReplyDeleteNice details Download RRB Thiruvananthapuram NTPC Result that have announced today from here.
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeletenice blog, thanks for sharing
ReplyDeleteSap SD Online Training by Real Time Faculties
Oracle RAC Corporate Training Institute
Best Datastage Training Institute In UK
Business Analysis Online Training | Course Development
Very most awaited RRB Thiruvananthapuram NTPC Result 2016 going to be releases out. Move to download RRB Thiruvananthapuram NTPC Result 2016 as here.
ReplyDeleteHappy New Year 2017
ReplyDeleteHappyNewYearimagescards.net
Happy New Year Wallpapers
Happy New Year Images
Happy New Year Greetings
Happy New Year HD Wallpapers
Happy New Year HD Cards
Happy New Year Pictures HD
Happy New Year Wishes
Merry Christmas 2016
ReplyDeleteMerryChristmasImagescards.net
Merry Christmas Images
Merry Christmas Greetings
Merry Christmas Wallpapers
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteOn the off chance that you have antivirus firewall programming introduced on your PC framework, you will have relative certainty that your PC will be secured from infections, and also appreciate firewall insurance. http://how-to-remove.org/malware/browser-hijacker-removal/easyopenweb-com-removal/
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteshri duga chalisa
ReplyDeleteDurga Stotra
Durga Stuti
Durga saptashati
Navratri 2017
maa durga
Durga 108 name
Durga pooja 2017
Nice details for upcoming HBSE 10th Result 2017 presenting here. Download HBSE 12th Result 2017 as possible after releases.
ReplyDeleteEscorts Services Hyderabad
ReplyDeleteEscorts Services Chennai
Escort Services Hyderabad
Escorts Services Bangalore Excellent article! We will be linking to this particularly great post on our website. Keep up the good writing.|
Escorts Services Chennai
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteBangalore Escorts
ReplyDeleteIndependent Escorts in Bangalore
pranabeotra.com
Bangalore escort Prana Beotra
escorts in Kolkata
ReplyDeleteKolkata Independent escorts
Kolkata escort girls
Valentine Week Days
ReplyDeleteHappy Valentines Quotes
Kolkata Escorts
ReplyDeleteEscorts in Kolkata
Kolkata Escort agency
Independent Escorts in Kolkata
Escort Kolkata
Bus hire in gorakhpur
ReplyDeleteGorakhpur travel agency
Gorakhpur travel agent
escorts service in Kolkata
ReplyDeleteescorts service in Kolkata
ReplyDeleteprintable valentines day cards
Happy Valentines Week
Happy Chocolate Day 2017
Hug Day Messages
Valentines Week
2
ReplyDeleteCHE FACEVA SESSO CON UN BAMBINO DI 11 ANNI A RAVENNA. COME AVRETE NOTATO NEL VIDEO, LA PEDOFILA TANTO QUANTO, ANSELMA DELL'OLIO, DAVA DEL GENIO AL SUO COMPARE PEDERASTA GIUSEPPE LAZZARI. IN QUANTO PARTE DELLA STESSA SETTA SATANISTA E PEDOFILESCA DI SILVIO BERLUSCONI, GIULIANO FERRARA, PAOLO BARRAI DI CRIMINALISSIMA WORLD MAN OPPORTUINITES LUGANO ED IL CITATO NOTO AVVOCATO SODOMIZZA BAMBINI: DANIELE MINOTTI DI GENOVA E RAPALLO, PURE AGENTE SEGRETO IN COPERTO, DI TIPO ASSASSINO. SI, ASSASSINO, PER OVRA E GESTAPO PUBBLICHE E PRIVATE DI SILVIO BERLUSCONI ( VOLETE PROVE ED INIDIZI? IAMM BELL, IA'....GUARDATE QUESTI LINKS, PLEASE.... GUARDATE COME STO PEDERASTA INCULA BAMBINI DI DANIELE MINOTTI, AVVOCATO CRIMINALISSIMO DI RAPALLO E GENOVA, SEMPRE DIFENDA SUOI DEPRAVATI "COLLEGHI", OSSIA VOMITEVOLI PEDOFILOMOSESSUALI COME LUI
http://www.lettera43.it/cronaca/adescava-minorenni-sul-web-miltare-a-processo_43675123449.htm
http://genova.repubblica.it/cronaca/2014/02/26/news/sesso_virtuale_in_cambio_di_soldi_per_videogame-79717213/
http://www.ansa.it/liguria/notizie/2014/06/20/adescava-minori-sul-web-condannato_36c57304-90aa-4c7f-8463-c7d610ed10dd.html
http://iltirreno.gelocal.it/massa/cronaca/2013/04/19/news/casolare-a-luci-rosse-il-pm-7-anni-e-mezzo-all-ex-dipendente-nca-1.6917147
E QUI A SEGUITO, LEGGETE, SEMPRE, PLEASE, LA TESTIMONIANZA DI STEFAN CUMESCU, CHE DA BAMBINO FU STUPRATO, FU SODOMIZZATO A SANGUE, FU SODOMIZZATO A MORTE, DAL BASTARDO NAZIPEDERASTA DANIELE MINOTTI, MASSONE NEO PIDUISTA, AVVOCATO DI MAFIOSI E CRIMINALI DI OGNI, DI GENOVA E RAPALLO
http://www.devsuperpage.com/search/Articles.aspx?hl=en&G=10&ArtID=1908142&KeyWords= ).
ED ECCO DUE TESTI CHE CHIARISCONO QUANTO IL REPELLENTE PEDOFILO INCULA BAMBINI, DANIELE MINOTTI STESSO, DA SEMPRE, RICICLI PURE SOLDI ASSASSINI DI COSA NOSTRA, CAMORRA E NDRANGHETA! A GO GO!
http://grokbase.com/t/python/python-list/148jckyh1w/avvocato-pedofilomosessuale-ed-assassino-daniele-minotti-facebook-oltre-che-nazi-megalava-euro-mafiosi-e-come-detto-mandante-di-omicidi-o-suicidate-stalker-di-eroe-civile-michele-nista-su-ordine-di-tiranno-fasciocamorrista-silvio-berlusconi
http://anti-matrix.org/Convert/Articles_Conspiracy/Conspiracy/Conspiracy-Selected-Articles-140730152020.html
PRESTO SCRIVEREMO TANTO, MA DAVVERO TANTO, GIORNO E NOTTE, A TURNO, PER DECENNI E DECENNI, GLI INTERI TESTI, (A) DEL POVERO EX BAMBINO STEFAN CUMESCU, SODOMIZZATO QUASI A MORTE, DAL VERMINOSO BASTARDO PEDOFILO AVVOCATO DANIELE MINOTTI DI RAPALLO, E (B) DI COME LO STESSO RICICLI CASH ASSASSINO, DI COSA NOSTRA, CAMORRA E NDRANGHETA DA SEMPRE!!!
This comment has been removed by the author.
ReplyDeleteThe Students can check the gate results 2017 here.
ReplyDeleteLooking for professional hacking services, with confidentiality and little to no trace?
ReplyDeleteConact Us for consultation
electronicshub@consultant.com
Or Visit Our Website below to get more details on our websites and see blacklisted hackers
wmark0690.wixsite.com/cryptech
The Railway Recruitment Board (RRB) is now going to announces notification for RPF Recruitment 2017 soon, Check our more details about RPF Recruitment 2017 from here.
ReplyDelete