Full Disclosure mailing list archives
Re: Paypal Core Bug Bounty #3 - Persistent Web Vulnerability
From: Krzysztof Kotowicz <kkotowicz+fd () gmail com>
Date: Mon, 17 Dec 2012 20:09:27 +0100
Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.
Exactly how is the session hijacking/phishing/web content manipulation _persistent_? Just because the payload is _stored_ does not necessarily mean that is it always running.
Proof of Concept: ================= The persistent vulnerability can be exploited by remote attackers with privileged paypal user account and low required user interaction.
[...]
Manually reproduce ... 1. Go to the addressbook and switch to add a new contact to adressbook 2. Include script code (html/js) as username to the addressbook and save the context 2. Now, switch to the user search (addressbook) module (other layer) & click the user contact search to activate 3. Include the exact name of the username (script code (html/js)) from the addressbook and press the search button 4. The context of the other layer from the addressbook will be executed directly out of the results listing page of the exisiting user contacts 5. Done! POST REQUEST: method="post" name="searchContact"
How is THAT a "low user interaction" scenario? IIUC, victim has to manually (no mention of CSRF here) insert a XSS payload into his address book, then search for the payload exactly as inserted (is there a antiCSRF token needed for the search request) and only then is the payload executed. During this scenario user knowingly sees & uses Javascript code twice - that's hardly low interaction. Unless I'm missing something - is there a cross-account action going on where one user manipulates the address book for a second user (e.g. from the same organisation?) Best regards, Krzysztof Kotowicz
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Paypal Core Bug Bounty #3 - Persistent Web Vulnerability Vulnerability Lab (Dec 14)
- Re: Paypal Core Bug Bounty #3 - Persistent Web Vulnerability Krzysztof Kotowicz (Dec 20)
- <Possible follow-ups>
- Re: Paypal Core Bug Bounty #3 - Persistent Web Vulnerability Vulnerability Lab (Dec 21)