Monday, 18 April 2016

Cross Site Scripting and URL redirection ...

Hi Guys,

Almost 2 years back I found a cross site scripting and a Dom based Open Url redirection bugs on a certain web site. Since the issues are still not patched, even after 2 years, I have decided to write a blog on them.

Cross Site Scripting:
As per owasp, "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."

While testing xxxxx.com, I ended up working on the support page pointing to xxxx.yyyy.com . After playing around the site, I found that it is vulnerable to the reflected cross site scripting on the following url.

http://xxxxx.yyyy.com/customer/portal/topics/266877-xxxxx-extend-for-ios

The payload used is a simple   <style/onload=alert(document.location)>

so the execution URL is :

http://xxxxx.yyyy.com/customer/portal/topics/266877-xxxxx-extend-for-ios?pid=aaa<style/onload=alert(document.location)>

Make sure to use a mobile browser or a browser with mobile user agent....

Reproduction Instructions / Proof of Concept

1. Navigate to the vulnerable URL using mobile browser (or change the useragent details to any mobile browser UA and open the vulnerable link) for verification.

2. On the bottom of the page you can observe that a variable pid is displayed as "pid=undefined"

3. So pass a variable pid with any XSS payload through the URL hence executing the XSS payload.

POC: 


The same website is vulnerable to URL redirection as well.

Open redirection vulnerability:

As per owasp, "Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access."

The Vulnerable URL is : http://xxxxx.yyyy.com/customer/portal/articles/search?return_url=

Payload used is : http://www.facebook.com

So the execution URL is :

http://xxxxx.yyyy.com/customer/portal/articles/search?return_url=http://www.facebook.com

Reproduction Instructions / Proof of Concept

Make sure to use a mobile browser or a browser with mobile user agent....

1. Navigate to the vulnerable URL using mobile browser (or change the user-agent to any mobile browser UA and open the vulnerable link) for verification.

You will find yourself redirected to m.facebook.com as it is a mobile browser.

POC: As this is DOM based redirection, can not disclose the poc without disclosing the target :(


Thanks for reading.. As always suggestions and queries are welcome.

1 comment:

  1. Another common use of cross site scripting , occurs when login credentials are stolen. Good point added.. thank you for sharing

    ReplyDelete