Wednesday, July 5, 2017 Stored XSS

Gofundme Stored XSS #1 - Dashboard Stored XSS Through Campaign Name
Note/overview : A problem that came up was they restricted campaign names to 35 characters. So we have to check what's being allowed and disallowed,  what and where input is being reflected, escape and then trigger an alert using 35 characters or less.

When I was checking I created a campaign and named it using something easy to find, in this example I used Tera. I went to the the dash board then to my campaigns to view how it reflects.

Then I started to probe the campaign feature using common symbols to see if they have any form of black listing, or filters in place. I used <x>"xss"

We see that <  and > were stripped yet quotation marks were left in place and they also affected the source code. Using this information I decided to inject the following vector
 This inline xss vector,  would basically include the event handler as a segment of the website's code. Essentially, we're injecting into the title="campaign name here" 

When we visit my campaigns again, and view the source, we can see it's been reflected into the website. Then we mouse over the campaign to trigger it as seen below
Normally most people will stop here, but what if we go deeper and try to have this work on a public facing page.

Gofundme Stored XSS #2 - Public Facing campaign Page

I decided to humor myself and go to the public facing webpage to see if it works. When I viewed the page nothing happened then I noticed I got an error in the console menu.

Apparently they don't sanitize here either so we know what to do now. We wouldn't need to include an event handler since we're inside a script tag, don't reinvent the wheel when we can have it execute our alert by including it.
We use "+prompt(document.domain)+"  this is only 28 characters and will work as a campaign title then we go check the public facing page to see if it works. Which is does as seen below, I tested it on chrome and on a different computer which confirms the fact that anyone who visited my campaign would receive it.

XSS stored or reflective doesn't need to be a complete segment of code or use conventional means to trigger XSS. You can always use pre existing code to inject and trigger an alert through including it. Inline xss is much forgotten about.  As of this time now the vulnerability is patched thanks to the gofundme team, I was rewarded 450$ for this vulnerability. 
*note:first write up, forgive me if it's not clear or doesn't make sense

No comments:

Post a Comment