OLX.co.th – XSS to Account Take Over
Text to Speech Voices
@author: LongCat
Date: August 14, 2014
For education purpose only!
Demonstrate how a XSS exposed risk to session hijacking.
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Attack Scenario
-----------------
A malicious user hijack victim account
using persistent cross-site scripting technique
but I just simulate the attack in my private network
in order to reduce impact on production environment
user lovecat → hack into → user pwnable 😉
Timeline
-----------------
August 14, 2014 - Vulnerability was reported to OLX
August 15, 2014 - OLX reply back and offer a free t-shirt
September 10, 2014 - Response from OLX, the bug is fixed
September 10, 2014 - Filter bypass exploit detail sent to OLX
September 11, 2014 - Response from OLX, the bug is fixed (again)
For more information about responsible disclosure:
https://en.wikipedia.org/wiki/Responsible_disclosure
video, sharing, camera phone, video phone, free, upload
2014-11-16 03:43:06
source
Gloss