Results 1 to 1 of 1

Thread: Triggering an unexploitable DOM-based XSS in Rediff Blogs automagically Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Triggering an unexploitable DOM-based XSS in Rediff Blogs automagically

    I want to share the details behind a DOM-based XSS which I found on Rediff Blogs. At first glance it looks unexploitable as the source of XSS is a cookie, which then lands in an innerHTML sink.So for exploitation we need a cookie to be present on the client which will be read by vulnerable piece of JavaScript code.


    The issue was on the "404" page of Rediff Blogs : All new blogging service from Rediff.com , while looking at the client-side source code of that page I found a possible DOM-based XSS vulnerable code, can be seen below

    Name:  code_vuln.jpg
Views: 438
Size:  94.6 KB


    Most of the code is self-explanatory, Rlo is the vulnerable variable which loads a value from cookie (of the same name) and then it is passed into innerHTML sink of a SPAN tag. Rm should also be set to some value not equal to NULL, so that we can trigger this DOM-based XSS, here again we need a cookie to make Rm not equal to NULL.

    Now, looks difficult to make it an one click exploit, as we would need the cookie with our vector to be set already and another thing is Rm cookie, which will push Rlo to reach the sink. For exploitation here comes the real trick, we can set a root domain cookie (i.e, .rediff.com) which will be accessible (according to same-origin policy) from all subdomains of rediff.com

    To achieve this goal, I found another XSS, this time Flash-based XSS on imworld.rediff.com , vulnerable file was in this case swfupload.swf (See SecLists.Org Security Mailing List Archive. Achievement unlocked! I can now set cookies for .rediff.com . I quickly wrote a PHP one-liner that redirects the user to the vulnerable Flash-file, with XSS vector set to write the required cookies for .rediff.com . See the PHP source code:

    Name:  one-liner.jpg
Views: 227
Size:  24.8 KB

    After setting the cookies it will automatically redirect our victim to the vulnerable 404 page, so now with required cookies in place, we can trigger this DOM-based XSS automagically.

    Aaaaaand,


    Name:  rediff.jpg
Views: 256
Size:  32.3 KB

    I've made a video to make this write-up more meaningful:



    These issues have been patched by Aditya Gupta of Rediff Security.


    Reference: Milad's Blog: Exploiting an unexploitable persistence DOM based XSS in feedly.com by using root domain cookies!

    Special Thanks to Rahul Sasi and all members of Garage, w00t
    Last edited by prakhar; 07-03-2013 at 01:32 AM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •