Stored XSS in Twitter Translation Center's Forum

by

Ashar Javed https://twitter.com/soaj1

!ashar

On Feb 2, 2014 (Sunday), I found and reported a stored XSS issue in Twitter Translation Center s Foru!" T#e stored XSS issue #as now been fi$ed (in%fa&t fi$ed wit#in a day by Twitter) and now !y na!e #as been added t#ird ti!e (2012, 201' ( 2014 se&tion) in Twitter Se&urity pa)e* #ttps*++about"twitter"&o!+&o!pany+se&urity On t#e followin) ,-., Twitter Translation Center s foru!s are a/ailble* #ttps*++translate"twitter"&o!+foru!+ " If you lo))ed%in /ia your Twitter a&&ount, you &an post a new topi& alon) wit# replyin) so!eone s post" Twitter allows so!e 01-2%,3S t#at you !ay used in your post" T#e followin) fi)ure s#ows Twitter s !ar4down &#eat s#eet*

5ot#in) !u&# to play around if we loo4 at t#e Twitter s !ar4down &#eat s#eet but t#e t#in) t#at &au)#t !y attention is 6"in#s6" T#ere are two ways of writin) a lin4 in your post or reply*

T#e first !et#od )i/en in t#e !ar4down &#eat s#eet is si!ple i"e", write a &o!plete ,-. alon) wit# #ttp*++ or #ttps*++ t#en Twitter will internally &on/ert t#is into a lin4 li4e 7a #ref89#ttp*++www"e$a!ple"&o!9:#ttp*++www"e$a!ple"&o!7+a: If your ,-. will not start fro! #ttp*++ or #ttps*++ t#en internally it will be treated as 7p: i"e", para)rap# ta)" ;ou 4now w#at I a! t#in4in) at t#is point < *) I a! t#in4in) for XSS /ia =a/aS&ript ,-I or >1T1 ,-I but at t#is point of ti!e and usin) t#is !et#od of lin4 &reation< Twitter internally treats t#e! as si!ple para)rap#"

So t#is is about first !et#od of #a/in) lin4s in your post or reply but t#e se&ond !et#od of &reatin) a lin4s sounds interestin)"""

,sin) t#is !et#od, you first !ention a lin4 te$t in t#e bra&4ets ? @ and t#en lin4 in t#e s!all bra&4ets ( ) e")", ?twitter@ (https://twitter.com) #as been internally &on/erted into 7a #ref8Ahttps://twitter.comA:twitter7+a: B#at #appens if I repla&e #ttps*++twitter"&o! wit# Ca/as&ript*alert(1) li4e ?twitter@ (javascript:alert$1%) #as been internally &on/erted into 7a #ref8Ajavascript:alert$1A:twitter7+a: Still XSS does not wor4in) but t#e )ood t#in) is t#at =a/aS&ript ,-I !ay wor4 #ere pro/ided synta$ adCuste!ent w#i&# is &aused by )" Twitter &onsiders alert fun&tion s s!all ri)#t bra&4et ) as ,-. ter!ination" 1s a part of ne$t step I de&ided to use DT0.E entities for ( and ) sy!bol i"e", (lparF and (rparF T#e ne$t input loo4s li4e* ?twitter@ (javascript:alert&lpar'1&rpar') #as been internally &on/erted into 7a #ref8Ajavascript:alert&amp'lpar'1&amp'rpar'A:twitter7+a: So XSS still does not wor4in) be&ause Twitter is en&odin) t#e a!persand (() si)n into respe&ti/e entity i"e", (a!pF" T#e final input t#at I a! e$pe&tin) will wor4 (,-. en&odin) of ( and ) sy!bol)* ?twitter@ (javascript:alert()* 1()+) #as been internally &on/erted into 7a #ref8Ajavascript:alert()* 1()+A:twitter7+a: Dere you )o <

T#e w#ole pro&edure too4 !y 10 !inutes and we #a/e stored XSS in Twitter Translation Center s Foru! < *) ,h- Twitter Translation Forum. 3re/iously I #a/e found refle&ti/e and >O0 XSS in Twitter Translation so I t#ou)#t t#is ti!e it would be a stored and I found one *) T#e followin) fi)ures s#ow refle&ti/e and >O0 XSSes issues in Twitter Translation t#at I found in year 2012 and 201' respe&ti/ely <

So see you Twitter in ne$t year < *%)