LinkedIn Cross Site Scripting

`LinkedIn social network affected by Persistent Cross-Site Scripting  
vulnerability(XSS)  
(patched in less than 3 hours)  
  
=========================  
  
I. VULNERABILITY  
-------------------------  
LinkedIn social network is affected by Persistent Cross-Site Scripting  
(stored XSS)  
vulnerability.  
  
II. BACKGROUND  
-------------------------  
LinkedIn is a social networking service and website operates the world's  
largest professional network on the Internet with more than 187 million  
members in over 200  
countries and territories.  
More Information: http://press.linkedin.com/about  
  
III. DESCRIPTION  
-------------------------  
LinkedIn social network is affected by Persistent Cross-Site Scripting  
vulnerability. The persistent (or stored) XSS vulnerability is a more  
devastating variant  
of a cross-site scripting flaw: it occurs when the data provided by the  
attacker is saved by the  
server, and then permanently displayed on "normal" pages returned to other  
users in the  
course of regular browsing, without proper HTML escaping. The affected  
resource is  
http://community.linkedin.com/questions/ask.html , the help center  
discussion forum.  
  
IV. PROOF OF CONCEPT  
-------------------------  
After signing in, go to LinkedIn Help Center(  
https://help.linkedin.com/app/home/) --> Help Forum(tab)  
--> Start a Discussion (http://community.linkedin.com/questions/ask.html).  
In the 'Your Question' field you can enter random chars(min. 10), although  
its a vulnerable field too.  
The 'Enter tags' field can have any tags.  
In the 'Give more Details' field you can put this:-  
  
padding padding  
padding  
<<a></a>body onload = alert('XSS') >  
  
The '<a></a>' tags are important. LinkedIn filters detect and remove  
content with chars after opening html  
tag(<),  
eg: 'aa<body>d' will get modified to just aad.  
The '<a></a>' go through the filter and get removed resulting in '<body  
onload = alert(1) >', which executes nicely.  
  
Finally, once the question gets posted it(along with the script execution)  
can be immediately viewed in Help Forum-->Your Discussions or in the  
questions public list, or the questions page of your tag.(could be easily  
used for a xss worm!)  
  
* POC Video link at end  
  
V. BUSINESS IMPACT  
------------------------  
If a malicious user will find a way to exploit this vulnerability could  
make other users perform actions that she wanted in the application because  
the csrf token is useless, since based on the user's session.  
  
The vulnerability could be used to spread a XSS worm using help forums.  
  
XSS attacks can have a profound impact on an organizations reputation and  
security, as well as the security of its customers.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
The vulnerability affects the LinkedIn network.  
  
VII. CREDITS  
-------------------------  
These vulnerabilities have been discovered by  
Rohit Dua (https://in.linkedin.com/in/rohitdua).  
(https://github.com/rohit-dua)  
  
VIII. DISCLOSURE TIMELINE  
-------------------------  
Nov 16, 2015: Vulnerability acquired by Rohit Dua(  
https://in.linkedin.com/in/rohitdua).  
Nov 16, 2015 11:15 PM: Responsible disclosure to Linkedin Security  
Team.  
Nov 16, 2015 11:28 PM: Initial vendor notification sent  
Nov 17, 2015 02:12 AM: Vendor implemented a fix*  
Nov 18, 2015: Disclosure  
  
* LinkedIn sec. team fixed the bug within 3 hours of reporting.  
  
IX. Links  
------------------------  
screenshot:- http://www.rohitdua.com/images/linkedin-xss-screenshot.png  
injected-code:-  
http://www.rohitdua.com/images/linkedin-xss-injected-code.png  
POC Video:- https://www.youtube.com/watch?v=01I9ImHP26o  
  
  
  
`