How I Found Stored XSS in Thousand’s of sites under Typepad?

921 reads

Note- The writer won’t be responsible of any harm caused by anyone by making this bug public. This is published for educational purposes.

In this writeup, I will be sharing one of my findings, wherein I found stored xss in blogs powered by Typepad. (This bug remains unfixed in many sites! 0-day? IDK :\) )

Typepad- What’s That?

Typepad is a blogging service owned by Endurance International Group, previously owned by SAY Media. It comes under top blogging platforms available online like Wordpress, Blogger, Tumblr etc.

According to Wikipedia,Typepad is currently used by many large organizations and media companies to host their weblogs, such as ABC, MSNBC, the CBC, the BBC and Sky News.

In addition to that, it is used as an individual blogging platform with custom url and also anysite.typepad.com formats.

Finding Stored XSS

This bug was found and reported by me last year. I found this stored XSS issue in one of the subdomains running under Microsoft. Microsoft though acknowledged the issue by putting my name in Hall of Fame, they advised me to report this issue directly to Typepad as stored XSS was caused due to the comment box (which was powered by Typepad).

More Details-

After each Typepad blog posts, there is a option to comment on it (which allows the usage of html tags.)

Please note that this works on Comment Box of a particular kind, which allows the usage of tags. However my hacker friends may find this on others, after this article has gone live. ;)

Comment Box Vulnerable

Hey, but what is the XSS payload used ?

<p><a title=”” href=”wow/"><img src=x onerror=alert(‘hi’)>”target=”_self”>”><</a></p></span></p>

This payload triggers a permanent stored XSS whenever the page gets loaded.

Immediate Prevention Steps

I noted that after a certain period of time, the option to comment automatically gets closed. I really don’t know whether this was be customised by the owners.

Site admins can also moderate the comments before directly it gets posted on the site.

Sites using Cloudfare also blocks this payload.

Takeaways

A few months back when I tweeted this to a security researcher, I committed a mistake of not checking whether it was still unfixed!

I took note of this, while checking through my old submissions recently and asking them for any Letter of Appreciation. (College guy.)

If a site continues to ignore this issue after this much time, I believe there won’t be any issue if I publicly disclose this. :)

Initially a year back, when I contacted the Typepad security/customer support team, this was the response I got!

Well, I totally respect their view, but I humbly opine that they could have atleast tried patching this after such a long time.

I checked many Typepad blogs a few days ago. 8 out of 10 are vulnerable to stored xss. I really can’t tell for sure whether they did something to remediate this bug, because only thing they messaged me back was we are thankful for bringing the issue to us!

Some Typepad blogs are vulnerable while some are not.

Below is the link of the working exploit created by me a year back.

EDIT- The above POC has since been removed from site after this article got published.

Typepad has a feature known as “Showcase” where it puts up best blogs. I found this site via there only.

Let me share a part of my POC-

Hope the article was helpful. You can follow me at @Circleninja on Twitter.

Tags