Tuesday, April 28, 2015

Stored XSS in ebay messages filenames

I have been quite ethical hacker/pentester so far and have disclosed everything always responsibly (with or without bug bounty programs), so it's actually quite fun for me to do a first full disclosure (of sort).

Everything started more then year back, when I was looking around in many web applications and reporting everything that I found. Things were good, some of the times there was monetary benefit, sometimes I got some free stuff and sometimes I got to the "hall of fame" or simple "thank you" - overall reaction was nothing but great. Only company that's behaviour was bit different, was the ebay.
I discovered the vulnerability where attacker can do XSS attack over the ebay-s internal messages and since the session cookies in ebay are not HTTPonly, it was a quite high issue for targeted attacking.
When I reported this, I got the basic email back, about how much they value the security and so on. They asked not to disclose the issue to public (normal request) but then also added that they will not give me any information about when or how the issue will be fixed. I thought that this is kind of strange but to hell with that - as long as they fix it in normal time, I don't care.

3 months passed, no information from them and out of curiosity I checked the issue again. It was still there. Because the issue was simple "missing encoding" (usually quite quick fix), I contacted them and only response that I got was that they will not give any information about the fix time schedule.
Exactly same status was after 5 and 7 months (vulnerability still there and response to my email was same)

After that I pretty much forgot about it. I had much to do, so ebay was the last thing I cared about. Up until yesterday when during the skype chat, someone mentione Yahoo bug bounty case (https://grahamcluley.com/2013/09/serious-yahoo-bug/) and I remembered the ebay again.

So today I logged into the ebay and tried to replicate the issue (more then year later!) - it was still there. So it must not be as dangerous as I thought and no harm can happen from making it public

1. Start by sending message to someone other (pick the "This is not about an item")

2. Select "attach photos" functionality and upload the picture (my upload was monkey.jpg) - catch the request itself with burp (or some other proxy)

3. Modify the GET parameter named "picfile" and header named "X-File-Name" to contain your payload(mine was </script><script>alert('XSS')</script>)

4. If everything went well, you get something like this and you can submit the request (after filling captcha and other stuff) - catch request again with proxy

5. I'm not sure, that this is "MUST BE", but I modified file name also in this request

RESULT: When target opens the message, the result he/she gets is like this

QUICK ANALYSIS: Where exactly the payload is inserted
The filename is used inside message html in 2 places. First is the place it's displayed (encoded correctly).

The second is inside the javascript - there is no encoding used

Impact of this vulnerability (my opinion)
There are many things that make this issue dangerous. This is kind of short list about some of them:
  • You can create new users very easily to make these attacks (no email verification)
  • Target even gets a email about your message
  • Only 3 cookies are HTTPonly in ebay, none of them are needed for session hijacking
  • There seems no limiting factors for XSS payload (there might be length limits but this is easy to bypass)
  • Combining in with other stuff like http://www.securityfocus.com/archive/1/533361 (that is also still working in ebay!)