Hacker News new | ask | show | jobs
by IgorPartola 4093 days ago
Anyone else already find the XSS in genius.it?

Edit: wow, the whole thing is seriously broken. Emailing them now.

Edit 2: It's not as broken as I thought, and these guys are quick to reply and try to figure things out. To be clear, I haven't gotten it to run arbitrary JS, just include arbitrary HTML, which isn't as dangerous.
3 comments
tomlemon 4093 days ago
Let us know this'd be very helpful! tom@genius.com
link
paulirish 4093 days ago
BTW would really love to link to a particular annotation.
link
IgorPartola 4092 days ago
I noticed it when http://genius.com/5104616 was broken where John included the <div> tag.
link
IgorPartola 4093 days ago
Emailed.
link
homakov 4093 days ago
>Anyone else already find the XSS in genius.it?

This is a sandboxed domain, like googleusercontent, so not a bug. XSS on genius.com would be a vulnerability.

link
glandium 4093 days ago
How is including arbitrary html not as dangerous, when arbitrary html also means <script> tags?
link
nightpool 4093 days ago
I'm not sure what exactly he's referring to, but annotations allow you to use markdown and some (limited, heavily sanatized and whitelisted) html, so that could be what he was talking about.
link
glandium 4093 days ago
heavily sanitized and whitelisted html isn't really arbitrary, is it?
link
IgorPartola 4092 days ago
To clarify, it appears that both genius.it and genius.com use Markdown which allows HTML. Their code sanitizes it, so that you can't include attributes of tags, and you can't include certain tags such as <script>, <style>, <link>, or <meta>. I spent about 10 minutes on it and could not break it. That isn't to say it cannot be broken, just that it's not wide open and obvious attacks are mitigated.

I was able to XSS myself: when I added certain types of malicious code it did execute, but if I reload the page the malicious part is not rendered. In other words, it's filtered on the output, not input, and the rendering is different for content fetched from the server vs content you just created. You can execute code in your own browser, but not for anyone else (as far as I was able to).

Their team is very responsive and took my concerns over this seriously.

link