About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Scripting) Security Attacks

About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Scripting) Security Attacks

Vulnerability Description:

About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.commain pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS attacks. In fact, forabout.com‘s structure, the main domain is something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page’s search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

 

 

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.

 

 about_quesion_security_xss1

 

 

 

(1) Some Basic Background

(1.1) Domain Description:

“For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month.” (The New York Times)

“About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its “topic sites,” of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation” (Wikipedia)

“As of May 2013, About.com was receiving about 84 million unique monthly visitors.” (TechCrunch. AOL Inc.)

“According to About’s online media kit, nearly 1,000 “Experts” (freelance writers) contribute to the site by writing on various topics, including healthcare and travel.” (About.com)

 

 

(1.2) Topics Realted to About.com

“The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information.” (azlist.about.com)

About.com – Sites A to Z

Number of Topics

A: 66

B: 61

C: 118

D: 49

E: 33

F: 57

G: 39

H: 48

I: 32

J: 15

K: 13

L: 36

M: 70

N: 26

O: 23

P: 91

Q: 4

R: 32

S: 104

T: 47

U: 12

V: 9

W: 43

X: 1

Y: 4

Z: 1

SUM: 1039

Reference:

In fact, those are not all topics of about.com. Some of the topics are not listed here such as,

So, there are more than 1000 topics related to about.com

 

 

(1.3) Result of Exploiting XSS Attacks

“Exploited XSS is commonly used to achieve the following malicious results

    Identity theft

    Accessing sensitive or restricted information

    Gaining free access to otherwise paid for content

    Spying on user’s web browsing habits

    Altering browser functionality

    Public defamation of an individual or corporation

    Web application defacement

    Denial of Service attacks (DOS)

” (Acunetix)

 

 

 

(2) Vulnerability details:

A method was found to attack users of About.com based XSS attacks.

All links under the subdomains of about.com can be used for this attack.

Just attach “/lr/” to any About.com’s subdomain. Then attach “any codes + sciript” or attach “script” code directly is OK. The structure is “http://subdomain.about.com/lr/*/script_code“.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (33.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

 

 about_all_xss_2

 

POC Codes, e.g.

/”><svg/onload=alert(/justqdjing/)>

http://ipod.about.com/lr/ipad_how-tos/9033“><svg/onload=alert(/justqdjing/)>

http://dc.about.com/lr/shopping/a/BlkFriday.htm/“><svg/onload=alert(/justqdjing/)>

 

 

 

Wang Jing

Leave a Reply

Your email address will not be published. Required fields are marked *