It's taken months and months but with the issues now fixed I wanted to finally publish this post. Enjoy!
Iframe Src XSS
While poking around Paypal I came across a help files section. Straight away my bounty hunter senses started tingling as the site looked pretty old and poorly designed. After a quick parse with Dominator it detected a really simple DOM based XSS issue:
The page contained Javascript that would write the location hash value directly into an iframe source without any kind of filtering.
To exploit you'd just use the following:
https://www.paypalobjects.com/en_US/vhelp/paypalregistration_help/paypalregistration_help.htm#javascript:alert(1)
Because paypalobjects was a separate domain to the main Paypal site there was no way to access session data/launch attacks from the main Paypal domain. And for phishing paypalobjects is a really unconvincing name so I'd argue this was relatively low risk issue.
Playing with SWFs
Knowing how easy it can be to exploit SWF's I did some Googling and went through the SWF files Paypal were using. After analyzing a few I found a SWF that used a remote xml file to define the links used within the page.
https://personal.paypal.com/cms_content/IL/en_US/files/marketing_il/pp101_what_is_paypal.swf?xmlPath=/cms_content/IL/en_US/files/marketing_il/pp101_what_is_paypal.xml
The SWF started by loading the xmlPath variable (included in the URL). If no path was supplied a default was used instead.
Once past this check, myXML.load(path) completes and now within the button onPress event the getURL will be performed on our xml values.
<links> <link uri="https://personal.paypal.com/il/cgi-bin/marketingweb?cmd=_render-content&content_ID=marketing_il/PayPal_FAQ"/> <link uri="http://www.youtube.com/watch?v=UsOTILPwegg"/> </links>
I created my own xml file and added javascript for links.
<links> <link uri="javascript:alert(1)"/> <link uri="javascript:alert(1)"/> </links>
And created a crossdomain.xml that allows all, so the swf could access my xml file.
<?xml version="1.0" ?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
Now to exploit our Paypal user all we do is send a link pointing to our xml file:
https://personal.paypal.com/
And if the user clicks any of the buttons they get pwned:
Final Thoughts
I wasn't the first person to report either of these issues and they've been on the site so long I'm sure a lot of bounty hunters have already seen them. Basic coding errors were to blame in both instances and could have been solved by using proper input filtering/whitelisting.
Hope you guys found this post interesting, any questions or feedback, drop a comment below!
Pwndizzle out.
I also reported this and it turned out to be a duplicate(Now I know why).. I bypassed this just by using an IP address with http:// instead of a domain with https:// :-)
ReplyDeleteHey Deepankar, thanks for the tip. Because of the poor filtering pretty much anything that didn't start with www. should have worked as a bypass.
ReplyDeleteMcAfee sometime make system work in a slow manner, but you shouldn’t feel panic about it as McAfee offers different ways to conserve your system resource and power while scanning. McAfee customer care executives are present at McAfee Helpline Number UK to provide you immediate assistance over this.
ReplyDeleteContact No. : - +44-808-169-9742
Website: - http://www.mcafee.uk-help-number.co.uk/
Face Book: - https://www.facebook.com/mcafeeukhelpnumber/
Twitter: - https://twitter.com/McAfee_Help_UK
Address: - London, United Kingdom
Given article is very helpful and very useful for my admin, and pardon me permission to share articles here hopefully helped :
ReplyDeleteObat gastroenteritis alami
Obat herbal gastroparesis
Obat tumor rahang tanpa operasi
Reni herbal
This is lovely. keep it up
ReplyDeleteclipping path service|Photo Retouching services|Vector Tracing
Best and Top Interior Designers in Gurgaon If you are confounded? Try not to stress. We offer a free conference to help you in settling on a choice with the best vision and quality that you merit.
ReplyDelete||Best Interior Designers In Gurgaon
||Best Interior Designers In Delhi
||interiors designing company in gurgaon
||interior design company in gurgaon
||interior designer in gurgaon
||interior designers in gurgaon
||interiors designing company in delhi
||interior design company in delhi
||interior designer in delhi
||interior designers in delhi
||interior designer delhi
||top interior designers in gurgaon
||interiors company in gurgaon
||top interior decorators in gurgaon
||interior designers and decorators in gurgaon
||modular office furniture in gurgaon
||modular kitchen manufacturers in gurgaon
||office furniture in gurgaon
||home furniture manufacturer in gurgaon
||wooden modular almirah manufacturer in gurgaon
||wooden partition manufacturers in gurgaon
||false ceiling manufacturer in gurgaon
||greed false ceiling manufacturer in gurgaon
In this day and age, email correspondence has become the most noteworthy piece of the present business. The truth of the matter is that we can’t live without email administrations and the vast majority of our budgetary exchanges rely upon it.
ReplyDelete||Roadrunner Email Support
||Roadrunner Email Support Toll-free Number
||roadrunner technical support
||roadrunner support number
||roadrunner support
||roadrunner tech support phone number
||roadrunner email support phone number
||roadrunner phone number
||roadrunner customer service number
||Roadrunner Customer Service Number
||roadrunner customer service number
||roadrunner webmail support
||roadrunner email customer service
||roadrunner customer service phone number
||Roadrunner Email Support Number
||roadrunner support
||roadrunner contact number
||roadrunner customer support number
||roadrunner customer support phone number
||Roadrunner Technical Support Phone Number
||roadrunner support number
||roadrunner technical support phone number
||roadrunner technical support number
||roadrunner customer support
دانلود آهنگ جدید
ReplyDeleteسینا پارسیان شکاف
کامی یوسفی سنیوریتا
Norton Antivirus Activation
ReplyDeleteMcAfee Antivirus Product Key
This review was so good and cool, I never imaging I would be able to get a post like this that is so important about Paypal. Really, over some years I have had people complaining about Paypal, thank you once more for the update you are great in developing contents and informaton.
ReplyDeletehttps://www.tecteem.com/paypal-login/
school administration software
ReplyDeletesmart school management system
school database management system
education erp software
school erp system
smart school software
Find a Mobile Casino on our website. Here you can find a lot of Online Casinos and Bookmakers. Casino and Sporting Sites Reviews, the Best Games and Sports Promotions. Visit us to see more.
ReplyDeleteGreat information, i was searching of this kind of information, thankyou very much for sharing with us. i also have some links to share
ReplyDeleteBuy Ambien Online
Order Ambien Online
Buy Ambien 10mg Online
xanax bars for sale
fastest Modafinil delivery
ativan 2mg buy online
ativan 1mg tablet buy online
Nice post, you give the clear idea of the topic and I subscribed your blog, I have some links to share here
ReplyDeletebuy modalert online
buy artvigil online
buy waklert online
buy modvigil online
NRI Legal Advisors India is the best legal advisors provide you the recommended nri legal services in india helps to solve your nri legal issues without any visit to india with the help of their many years of working experience. If you're interested and want to know more about the complication legal terms absolutely free then visit the official website of law credo - best legal guide in the world.
ReplyDelete