Thursday 17 April 2014

Google Chromium XSS Auditor Bypass - 0Day Attacks

“XSS auditor” is first published in 2010 by Google which is used to prevent reflected XSS Attacks.
However, we found the following string can bypass the filter.




<script>0,alert(“XSS”)</script>




The mechanism of the filter is very simple. It will checked whether the reflected codes contain the same  content sent out from the user.




If there are same content, chromium will check whether the same content is in some tag such as <script></script>
<img > …




If so, chromium will remove the same content from the reflected codes.






Published By: Wang Jing, Mathematics, School of Physical & Mathematical Science,
Nanyang Technological University, Singapore


GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability









GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

Domain: getpocket.com
"Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world's leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows." (From: https://getpocket.com/about)


Vulnerability Description:
Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.

 "Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application." (OWSAP)


Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.



Vulnerability Details:
The code programming flaw exists at "https://getpocket.com/edit/edit" page, i.e.https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Vulnerable URL:
https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=


Use a website created by me for the following tests. The website is "http://itinfotech.tumblr.com/". Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.
<a href="https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test">getpocket csrf test</a> [1]


When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her "Pocket" without his/her notice. An attack happens.




MailChimp’s Login Page Online Website Unvalidated Redirects and Forwards Bug

"More than 9 million people and businesses around the world use MailChimp. Our features and integrations allow you to send marketing emails, automated messages, and targeted campaigns. And our detailed reports help you keep improving over time.

MailChimp has been around since 2001. We started as a side project funded by various web-development jobs. Now we send more than 600 million emails a day. We love seeing businesses start small, fund themselves with paying projects, and build up a strong API, so that's how we run MailChimp. We create products and features that empower our customers to grow."








The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]


When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.




Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.






(1) Use the following tests to illustrate the scenario painted above.
The redirected webpage address is “http://www.tetraph.com/essayjeans/”. We can suppose that this webpage is malicious.










Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/










Kaneva Sign-in Page Open Redirect Vulnerability - 0Day Attacks

“Combining a social network and a virtual world, Kaneva brings profiles and entertainment to the 3D realm in a modern-day, online digital world full of real friends and good times. Kaneva provides a whole new way — a more human way — to connect with friends online.
Kaneva members create the digital version of themselves — avatars — and then meet up in a vibrant,  3D world based on the modern day. Every Kaneva member gets a Kaneva City Loft — their own 3D space — that they can decorate and furnish in their unique style. You can bring your favorite videos, photos, music, and games, and watch them on your 3D televisions. You can invite friends to hang out in your 3D home or meet up in any of Kaneva’s public spaces and chat in real-time. You can shop for the latest fashions or home decor, chat, dance, play games, watch TV and movies, and come back again and again to explore and have fun in an ever evolving world full of exciting people, places and entertainment.”


The vulnerability exists at "loginSecure.aspx" page with "logretURLNH" parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]






When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.





Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.







(1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is "http://www.tetraph.com/essaybeans/street_artists/clark_quay.html".Can suppose that this webpage is malicious.




Vulnerable URL:
https://www.kaneva.com/loginSecure.aspx?logretURLNH=https://shop.kaneva.com/MySales.aspx





POC:
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3A%2F%2Fwww.tetraph.com%2Fessaybeans%2Freflections%2Fsolitude.html
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fgoogle.com





Credit:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/











Olark Online Website Unvalidated Redirects and Forwards Vulnerability - 0day Bug

"“Olark is the most beautiful and effective way to talk to your customers for sales and support. And we make it super easy for you! Solve customers' problems before they have a chance to click away. Give them the answers they need immediately and gain powerful insights about what they want for relationships that last. Olark has powerful features to give you access to visitors and their behaviors. Make your business (and your site) look good and keep customers coming back. Olark was founded in 2009 by Ben Congleton, Matt Pizzimenti, Roland Osborne and Zach Steindler. Initially funded by seed accelerator Y Combinator, Olark has gone on to profitable success by providing a compelling product and amazing service. We believe the world is a better place when people help each other out. That’s why you’ll find any one of our team members answering your chat. It’s what we love to do. Olark is headquartered in the arboreal oasis of South Park, in San Francisco. We also have an office in Ann Arbor, MI, our "hometown", as well as employees across the US, Canada, Brazil and the U.K.”






Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.





(1) Use one of webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/reflections/solitude.html“.  Can suppose that this webpage is malicious.




Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)