Cross Site Scripting through callback functionality
Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story.
The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application.
This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value.
So i submitted the bug to the security team. And once my bug is validated, it was fixed and i got a cool T-Shirt as a gift Swag.
As the countermeasure to my XSS Bug, they implemented html entity encoding for the callback parameter and hence all the conventional xss payloads are restricted successfully.
After few days, while testing another site, i found similar callback approach but this time with few limitations.
1. only the function "name" can be specified and it should contain only alphabets.
3. if you use " or ' in the request, it will generate an exception.
However these techniques are not enough to get an XSS in that application, but then i remembered the bug i submitted earlier.
As a countermeasure, the security team implemented html encoding for vital xss characters (such as < > " ' etc), but, they did not change the way the callback parameter work. Which means, the parameter value is still being returned as the function name and that too without any encoding (except the XSS chars like ' " < > etc).
Payload created :
This way, i got a cross site scripting vulnerability one more time on the same URL and same Parameter i submitted earlier.