Sunday, 6 April 2014

Cross Site Scripting through callback functionality


Hello Guys,

Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story.

The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application.


This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value.

https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script><!--+



So i submitted the bug to the security team. And once my bug is validated, it was fixed and i got a cool T-Shirt as a gift Swag.

As the countermeasure to my XSS Bug, they implemented html entity encoding for the callback parameter and hence all the conventional xss payloads are restricted successfully.


After few days, while testing another site, i found similar callback approach but this time with few limitations.

1. only the function "name" can be specified and it should contain only alphabets.
2. the payloads you enter will be returned as a javascript object.
3. if you use " or ' in the request, it will generate an exception.

So, in order to create a successful XSS payload, i tried  1. displaying javascript objects  2. ignoring objects by commenting  and by making null functions 3. breaking the syntax into multiple lines by Line Feed Characters etc.,

However these techniques are not enough to get an XSS in that application, but then i remembered the bug i submitted earlier. 
As a countermeasure, the security team implemented html encoding for vital xss characters (such as < > " ' etc), but, they did not change the way the callback parameter work. Which means, the parameter value is still being returned as the function name and that too without any encoding (except the XSS chars like ' " < > etc).

So i followed the same approach as above and created a javascript syntax, so that the response will create an exact xss payload.

Payload created :
       alert(document.cookie);function+aaa(obj){}+aaa



This way, i got a cross site scripting vulnerability one more time on the same URL and same Parameter i submitted earlier.

4 comments:

  1. Good one bro. Whats the tool you are using ?

    ReplyDelete
    Replies
    1. Thanks. Tools wont help u much.. its a custom javascript payload.. manually tailored.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete