Developing an application using Instagram API, I've noticed that I do not come converted tags. Of course, this problem is solved in a couple of lines of code. But I thought, what if not all developers convert tags in effect when displayed on the page, trusting API. Who would expect that in the description page Instagram is JS script instead of text?
I found these sites.
First, add a description of the profile of a dial script js, and in the description of some photos of the line
<script> alert (document.cookie); </ script>
and several hashtags, including #instagramapi.
The first site that I found - it Iconosquare.
IconoSquare - a useful application for analyzing and managing your account in Instagram. User-friendly web interface will save time and help in communicating with subscribers. IconoSquare can browse through profiles and search for the hashtag
On this site I decided to look for your picture on the hashtag #instagramapi, in my case it was a picture of a cat.
When you click on a photo of me and burn to a page that contains the description of the photo, but Iconosquare forgotten convert html-tags in essence. This enabled the implementation of XSS.
View image
Opening the source code of the page, once it became clear that they had forgotten to convert tags in the meta description of the page.
View image
On the page, they do not resolve the name and description of the profile Instagram - and here's the result.
View image
The next site that I found - it facegram.io.
As I understand it, facegram.io - is another Instagram Web Viewer. The service has about 50,000 subscribers on Facebook, so I think it can be considered popular.
Here we are also looking for hashtag #instagramapi and here is the result:
View image
Similarly, on the user page.
In fact, I found 27 sites where you can spend XSS-attack. I think it is not necessary to paint them all, here are links to pages with XSS.
A list of all sites
I tried to write in Iconosquare and in support of a few other sites, but they did not react. Maybe someone of you can tell the developers of these sites about the vulnerability.
P.S. This article is written to tell developers that do not cost the trust received from the Instagram API data.
I found these sites.
First, add a description of the profile of a dial script js, and in the description of some photos of the line
<script> alert (document.cookie); </ script>
and several hashtags, including #instagramapi.
The first site that I found - it Iconosquare.
IconoSquare - a useful application for analyzing and managing your account in Instagram. User-friendly web interface will save time and help in communicating with subscribers. IconoSquare can browse through profiles and search for the hashtag
On this site I decided to look for your picture on the hashtag #instagramapi, in my case it was a picture of a cat.
When you click on a photo of me and burn to a page that contains the description of the photo, but Iconosquare forgotten convert html-tags in essence. This enabled the implementation of XSS.
View image
Opening the source code of the page, once it became clear that they had forgotten to convert tags in the meta description of the page.
View image
On the page, they do not resolve the name and description of the profile Instagram - and here's the result.
View image
The next site that I found - it facegram.io.
As I understand it, facegram.io - is another Instagram Web Viewer. The service has about 50,000 subscribers on Facebook, so I think it can be considered popular.
Here we are also looking for hashtag #instagramapi and here is the result:
View image
Similarly, on the user page.
In fact, I found 27 sites where you can spend XSS-attack. I think it is not necessary to paint them all, here are links to pages with XSS.
A list of all sites
I tried to write in Iconosquare and in support of a few other sites, but they did not react. Maybe someone of you can tell the developers of these sites about the vulnerability.
P.S. This article is written to tell developers that do not cost the trust received from the Instagram API data.
No comments:
Post a Comment