Persistent XSS vulnerability in eBuddy Web Messenger
The Hacker News


A team member from Virtual Luminous Security, Russian Federation, has discovered a persistent XSS vulnerability in eBuddy (the biggest web IM solution in the world) by transmitting messages with embedded encoded javascript code.
In-depth detail
eBuddy Web Messenger suffers from an encoded-Persistent XSS vulnerability in the messaging function. (while sendingA message with embedded code to another authorized user in eBuddy WebMessenger).

Exploit example
Plain XSS (Not going to store, nor execute)
<script>alert('eBuddy Persistent XSS');</script>
Encoded
text=%3Cscript%3Ealert%28'eBuddy%20Persistent%20XSS'%29%3C/script%3E
[*] The attacker sends the encoded embedded code in an IM message.

The Hacker News
[*] The victim receives the message with the encoded embedded code and it executes on the victims browser.
The Hacker News

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.