Digg Vulnerable to XSS

   Print.Print
Email.Email weblog link
Blog this.Blog this
Nitesh Dhanjani

Nitesh Dhanjani
Nov. 23, 2005 09:26 PM
Permalink

Atom feed for this author. RSS 1.0 feed for this author. RSS 2.0 feed for this author.

While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:

http://digg.com/search?search=%3Cscript%3Ealert%28%27vulnerable%20to%20xss%27%29%3B%3C%2Fscript%3E&submit=Submit

image

I haven’t checked to see if the comments or new story submission modules are affected – if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.

Update: They fixed it this morning.

Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.