Hacking AOL
Posted by: Gerry Eisenhaur in Content, tags: 0day, exploit, hacking, webappsec, xssI had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like:
http://autos.aol.com/
http://finance.aol.com/
To more serious domains like:
http://webmail.aol.com/ (need to be logged in)
https://account.login.aol.com/
To the really bad:
https://my.screenname.aol.com/
Access to all of AOL’s web services requires only 2 cookies, SNS_AA from aol.com, and SNS_SKWAT from screenname.aol.com. The only positive thing I ran into is the fact they require you to answer a security question to access account management functions.
Oh! I almost forgot, they also made a feeble attempt at blocking a select number of javascript functions and attributes. For example, this is blocked:
But this isn’t:
Entries (RSS)