Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Comments Widget Exposed Many Websites to Attacks

A stored cross-site scripting (XSS) vulnerability found in a popular comments widget exposed a large number of websites to attacks. The security hole was quickly patched by the product’s developers.

A 14-year-old security enthusiast named Ibram Marzouk recently discovered a stored XSS flaw in the comments section of code snippet marketplace PasteCoin.

A stored cross-site scripting (XSS) vulnerability found in a popular comments widget exposed a large number of websites to attacks. The security hole was quickly patched by the product’s developers.

A 14-year-old security enthusiast named Ibram Marzouk recently discovered a stored XSS flaw in the comments section of code snippet marketplace PasteCoin.

A friend of Marzouk’s, Karim Rahal, who is also 14, later noticed that the XSS vulnerability was not limited to PasteCoin and instead affected HTML Comment Box, a popular widget that allows web designers and developers to add a simple comment box to their websites.

HTML Comment Box is designed to filter user input in an effort to prevent XSS attacks, but the payload used by Rahal bypassed the filter: “>><<img src=x onerror=alert(1);//>>

“The open and closing tags filter was bypassed using double ‘greater than (>)’ and ‘lower than (<)’ tags. In addition, the filter that checks the attributes used was bypassed by closing the attribute with a ‘semicolon (;)’ and the double ‘slashes (//)’ would comment out the javascript,” Rahal explained in a post on Detectify’s blog.

HTML Comment Box XSS

The vulnerability was reported to the developer of HTML Comment Box through Detectify’s recently launched crowdsourced bug bounty program. The developer patched the flaw within a couple of hours.

A Google search conducted by Rahal returned roughly 2 million pages that had been using the comments widget. The same search performed by SecurityWeek returned more than 760,000 results, including many duplicates. Nevertheless, it’s clear that HTML Comment Box is present on many sites.

This is not the first time researchers have found vulnerabilities in the comments widget. Back in 2013, researchers Rafay Baloch and Deepankar Arora identified both persistent and reflected XSS flaws in HTML Comment Box.

Advertisement. Scroll to continue reading.

Related Reading: Google Releases New XSS Prevention Tools

Related Reading: XSS Flaws Decline, DoS Becomes More Common

Related Reading: WordPress Flaw Allows XSS Attack via Image Filenames

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.