OKCupid Cross Site Scripting

Posted on 24 September 2014
Title: OKCupid Server Error Page XSS
Severity: High
CVE-ID: CVE-2014-3148
Re-release: 20 September 2014
Author: Kenneth F. Belva
Websites: http://silverbackventuresllc.com
 http://xssWarrior.com
 http://securitymaverick.com
Twitter: @infosecmaverick
Contact: Please use website contact form.
Mail:
URL: https://github.com/okws/okws
Vendor:
Remote Exploit: Yes

Description:
============

A non-existent page triggers the vulnerable XSS page.

Proof of Concept :
==================

http://okcupidserver/none/[code]

Various URLs :
==================

Public Release:
https://twitter.com/infosecmaverick/status/462573038299803648

Hacker1:
https://hackerone.com/reports/3317

Git Credit and Correction:
https://github.com/okws/okws/commit/e9bedb644d106a043e33e1058bedd1c2c0b2e2e0

Solution:
=========

Upgrade.

Remarks:
========

Thanks to @Sidnicious at OKCupid for such a quick fix and responsiveness
TOP
Malware :

Last 20
Exploits :

Last 20