Uploaded image for project: 'Mojang Web Services'
  1. Mojang Web Services
  2. WEB-268

XSS vuln on beta.minecraft.net

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Important Important
    • None
    • None

      I found a (quite serious) vulnerability on the new MC beta page. It's possible to insert a JavaScript URI in the return_url parameter. Here's a little demo:

      https://beta.minecraft.net/en/login/?return_url=javascript:alert%28document.cookie%29

      The good news is that this particular vuln only works when you're logging in on that page, but at that point it can be used to do pretty much anything. I assume you know what XSS is.

      The minified JS code is a bit hard to read, so I haven't checked other endpoints, but there might be similar cases where a login is not required. You should double check that window.location.href is only used with safe URIs.

      You should also be able to check your nginx (1.6.2, duh) logs to see if this has already been abused.

            KrisJelbring [Mojang] Kristoffer Jelbring (Inactive)
            redstonesheep deleted
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: