SecurityTube uses a 3rd party component from Echo
for it's comment system. This helps us provide an easy way for users to leave behind comments and questions on the video pages, without us having to create a full backend for this system. Unfortunately, any 3rd party component comes with its liability, and Echo is no exception.
Recently, some of our users alerted us on XSS attacks against this commenting system using the Username field. We allow anonymous comments using Echo, which in turn allows users to choose any username. This field is vulnerable to XSS. Credit for discovering this goes to Jbyte Security
and later to CrewAlexander
. I am embedding their demo videos below. Great work guys! and thanks for letting us know. Would request you to contact the vendor and claim credit for the discovery.Workaround
: I have disabled anonymous commenting till the issue is fixed by the vendor. Till then all users will have to first authenticate using twitter/facebook..etc. and then post comments. This fixes the XSS.
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.