B10[mg]

De Telegraaf is by some considered as a trustworthy source of news. It's a website from one of the biggest newspapers in the Netherlands and, like so many other big websites, not XSS-safe.

After showing my new co-workers my eBay XSS adventure, I thought it would be nice to go see what else is out there. Heck, it's been almost a year!

My first try was this newspaper and boom, there we go. Within minutes I had some of my own text on the website and after fixing a thing or two, it also worked in Microsoft's Internet Explorer.

Since the newspaper is in Dutch, I figured my article had to be in Dutch as well and I basically copied the Webwereld article which talks about the eBay exploit (which was way more nasty and fun, but oh well).

Roughly it's talking about a Dutch guy finding the XSS leak in the website, while complaining about the security of this big "professional" website. And of course, it'll show you your telegraaf.nl cookie(s).

Click on the image to see the full size (and I apologize, for I don't know how to capture the Flash advertising on the site ;-)

The live version, if the site is still unpatched, can be viewed through my not too nicely crafted URL.

Update: the URL above is no longer working, for the Telegraaf patched it. Unfortunately, a patch was preferred over a full solution, for the XSS hole is still open!

And welcome Webwereld readers!

Update: Finally the Telegraaf is encoding user's input on search queries! It seems like they've closed this XSS hole now.

Too bad they did not respond to my email at all. A simple reply like "we're looking into it" would be nice. Guess I'll have the police at my door soon ;-)

telegraaf, XSS, exploit