Hey look everyone, yet another demonstration of how cross-site scripting (XSS) can be used for evil. This time we find ourselves at ustream.tv and yet again this is another simple to find vulnerability. The input for the order parameter on the site search was not properly encoded in the title of the output page.
The video demonstrates an attacker sending a link to a broadcaster. Note that links must be enabled otherwise they are stripped. If the victim clicks on the link all of their shows are deleted, leaving the namespace open for somebody else to claim. Something interesting to note is that the chat logs persist through the transaction.
Some of you may be wondering why the XSS is even needed to carry out this attack. The reality is that it is not. Plain cross-site request forgery works just fine. To target a user, one would only have to do the following.
1. Look up the users list of channels http://www.ustream.tv/json/user/evilpacket/listAllChannels
2. Craft delete url's http://www.ustream.tv/mybroadcasts/delete/[CHANNELID]
3. Send the user a link, or get them to visit your malicious page that will make their browser proxy requests for you cross-site request forgery style.
Music: Dan Deacon - The Crystal Cat