StackOverflow

Anatomy of a XSS vulnerability on Stack Overflow

Oded Coster 0 Comments

Stack Overflow has had a mobile version of the site for quite a while now, and to make life easy for our users, we have a switcher in the footer – allowing one to toggle between the mobile and the full versions of the site.

Recently, an XSS vulnerability on this link was disclosed via our meta site.

The link markup was looking like the following:

<a onclick='StackExchange.switchMobile("on", "/some/path")'>mobile</a>

Where, "/some/path" is the current request path – this ensures that when switching between mobile and full, one remains on the same page.

As it turns out, this path was rendered to the page using HTML encoding only, meaning that when accessing the site with the URL http://stackoverflow.com/%22,alert%281%29,%22 (which would throw up a “404 page not found” that contains the footer), clicking the link would execute a JavaScript alert.

How does it work?

When rendering the path %22,alert%281%29,%22, the link ended up looking like this:

<a onclick='StackExchange.switchMobile("on", "",alert(1),"")'>mobile</a>

Since %22 encodes ", %28 is ( and %29 is ).

The initial fix was to ensure " was correctly encoded. It was a quick fix – done to minimize damage from this particular form of attack. It was followed by a change to the StackExchange.switchMobile function where no path parameter exists anymore and which precludes this attack – the path is no longer in a string and URL checking was moved to the server side.

Getting good answers on StackOverflow – part 13 of n

Oded Coster 1 Comment

Tip #13 – What have you tried?

when describing your problem, make sure to include details of what you already tried. This will help ensure that you do not get answers that go into more depth and that will suggest things you have not tried.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English

Tip #6 – Pertinent code samples

Tip #7 – Stay on topic

Tip #8 – Do some research

Tip #9 – Stay engaged

Tip #10 – What, not how

Tip #11 – Accept rate

Tip #12 – Code that shows the problem

Getting good answers on StackOverflow – part 12 of n

Oded Coster

Tip #12 – Code that shows the problem

When posting a code sample, make sure that it is representative of the problem you are having. This means that it needs to be syntacticly correct (otherwise, people will point out the syntax errors and not the problem you are trying to solve), if possible it should compile and it must clearly show the problem.

This will ensure that people will be able to easily reproduce the issue and answers will be relevant to the problem.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English

Tip #6 – Pertinent code samples

Tip #7 – Stay on topic

Tip #8 – Do some research

Tip #9 – Stay engaged

Tip #10 – What, not how

Tip #11 – Accept rate

Getting good answers on StackOverflow – part 11 of n

Oded Coster 0 Comments

Tip #11 – Accept rate

Your accept rate tells people if you go back to your questions and choose the best answer for each question. A low rate is seen as a very negative thing and many people will not answer a question from someone with a low accept rate. Make sure your accept rate is high.

Accept rates are no longer displayed on questions or the user profile.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English

Tip #6 – Pertinent code samples

Tip #7 – Stay on topic

Tip #8 – Do some research

Tip #9 – Stay engaged

Tip #10 – What, not how

Getting good answers on StackOverflow – part 10 of n

Oded Coster 3 Comments

Tip #10 – What, not how

When posting a question, don’t say how (or how not) you want people to answer it (for example, “I don’t want to hear about xxx”, “Only solutions in yyy”), but explain what you are attempting to achieve. This gives context to your question and better answers will result.

By telling people how you want to do things, you are limiting the answers and possibly offending them.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English

Tip #6 – Pertinent code samples

Tip #7 – Stay on topic

Tip #8 – Do some research

Tip #9 – Stay engaged

Getting good answers on StackOverflow – part 9 of n

Oded Coster 0 Comments

Tip #9 – Stay engaged

Don’t fire and forget – that is, keep going back to your question, read the comments and answer and respond to them. If you engage with the people that respond to your question, chances are good that you will get the answer you are looking for.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English

Tip #6 – Pertinent code samples

Tip #7 – Stay on topic

Tip #8 – Do some research

Getting good answers on StackOverflow – part 6 of n

Oded Coster 0 Comments

Tip #6 – Pertinent code samples

Post code samples that show the issue, this will help others understand the issues better than paragraphs full of description.

Do not post pages and pages of code – no one will want to read through that, so limit yourself to code that is directly relevant to the question.

Tip #1 – Ask a question

Tip #2 – Be polite

Tip #3 – Ask one question

Tip #4 – Descriptive title

Tip #5 – Write in English