[liberationtech] Burn Note
Steve Weis
steveweis at gmail.com
Wed Feb 1 14:41:43 PST 2012
I reported it to the site owner and received an acknowledgement. He did not
say when it would be fixed. The vulnerability I found is not particularly
interesting and is often used as an example in tutorials.
If you're interested in learning more about the class of attacks, OWASP is
a good resource:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Google also has a nice code lab with a sample app that you can try to
attack:
http://google-gruyere.appspot.com/
On Wed, Feb 1, 2012 at 6:51 AM, Enrique Piraces <piracee at hrw.org> wrote:
> +1, please do.
>
> On 01/31/2012 07:40 PM, Steve Weis wrote:
> > I would not use Burn Note.
> >
> > I just tried it out and found they are vulnerable to cross-site scripting
> > attacks. If you were logged into a Burn Note account, I could hijack it
> by
> > getting you to click one of their links. That would let me see all the
> > outstanding notes your account created which haven't been read yet.
> >
> > I also found that I was able to post junk data to their application
> > endpoints to create broken notes. That means the input is not being
> > sanitized, which makes it more likely to be exploitable. This is a common
> > cause of vulnerabilities like SQL injection.
> >
> > Finally, based on their technical writeup, I don't trust their ability to
> > use encryption properly.
> >
>
> Nicely done. If you've already disclosed, please do share the exploits
> here after they've patched?
>
>
More information about the liberationtech
mailing list