It's taken months and months but with the issues now fixed I wanted to finally publish this post. Enjoy!
Iframe Src XSS
While poking around Paypal I came across a help files section. Straight away my bounty hunter senses started tingling as the site looked pretty old and poorly designed. After a quick parse with Dominator it detected a really simple DOM based XSS issue:
To exploit you'd just use the following:
Because paypalobjects was a separate domain to the main Paypal site there was no way to access session data/launch attacks from the main Paypal domain. And for phishing paypalobjects is a really unconvincing name so I'd argue this was relatively low risk issue.
Playing with SWFs
Knowing how easy it can be to exploit SWF's I did some Googling and went through the SWF files Paypal were using. After analyzing a few I found a SWF that used a remote xml file to define the links used within the page.
The SWF started by loading the xmlPath variable (included in the URL). If no path was supplied a default was used instead.
Once past this check, myXML.load(path) completes and now within the button onPress event the getURL will be performed on our xml values.
<links> <link uri="https://personal.paypal.com/il/cgi-bin/marketingweb?cmd=_render-content&content_ID=marketing_il/PayPal_FAQ"/> <link uri="http://www.youtube.com/watch?v=UsOTILPwegg"/> </links>
And created a crossdomain.xml that allows all, so the swf could access my xml file.
<?xml version="1.0" ?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
Now to exploit our Paypal user all we do is send a link pointing to our xml file:
And if the user clicks any of the buttons they get pwned:
I wasn't the first person to report either of these issues and they've been on the site so long I'm sure a lot of bounty hunters have already seen them. Basic coding errors were to blame in both instances and could have been solved by using proper input filtering/whitelisting.
Hope you guys found this post interesting, any questions or feedback, drop a comment below!