diceboy50
23-04-2010, 04:54 PM
Ironic, isn't it? The security check is vulnerable to Cross Site Scripting.
It appears to try sanitise the URL, thus <script></script> tags are useless here, but alas, tags are not necessary to steal a session cookie via this URL.
An XSS hole for Habbo Hotel has not been in the public domain for a long while, so this is our gift to you. It will not last so make the most of it while you can.
If you are not aware, you do not need a user's Habbo name or password to get on their account if you have their session cookie. You can log into your account, sit on homepage, use Firefox's "Add n' Edit Cookies" add-on to set their JSESSIONID as your JSESSIONID, and then all that is required is a page refresh in Habbo Homes to be logged into their account.
A full tutorial on how to steal another Habbo's session (and use it yourself) using the
*Removed*
exploit has been compiled for you. For learning purposes only, of course ;]
IMPORTANT: Safari 4 and IE8 with XSS filtering enabled are immune.
Perhaps others also. Test alternative browsers and comment.
Also, this will only work on users who logged in using their name and not email. (thanks Loget)
extract from a habbo hacking site, it seems they cant hack u if u use habbo id otherwise if u login with ur username you can be hacked by just visiting a website!! :(
Edited by Catzsy (Forum Super Moderator): Please do not post content that links to hacking tutorials.Thread closed as this topic has already been posted here: http://www.habboxforum.com/showthread.php?t=640225
It appears to try sanitise the URL, thus <script></script> tags are useless here, but alas, tags are not necessary to steal a session cookie via this URL.
An XSS hole for Habbo Hotel has not been in the public domain for a long while, so this is our gift to you. It will not last so make the most of it while you can.
If you are not aware, you do not need a user's Habbo name or password to get on their account if you have their session cookie. You can log into your account, sit on homepage, use Firefox's "Add n' Edit Cookies" add-on to set their JSESSIONID as your JSESSIONID, and then all that is required is a page refresh in Habbo Homes to be logged into their account.
A full tutorial on how to steal another Habbo's session (and use it yourself) using the
*Removed*
exploit has been compiled for you. For learning purposes only, of course ;]
IMPORTANT: Safari 4 and IE8 with XSS filtering enabled are immune.
Perhaps others also. Test alternative browsers and comment.
Also, this will only work on users who logged in using their name and not email. (thanks Loget)
extract from a habbo hacking site, it seems they cant hack u if u use habbo id otherwise if u login with ur username you can be hacked by just visiting a website!! :(
Edited by Catzsy (Forum Super Moderator): Please do not post content that links to hacking tutorials.Thread closed as this topic has already been posted here: http://www.habboxforum.com/showthread.php?t=640225