Sunday, September 14, 2014

Google Feedburner - Reflected XSS

11:03 PM Posted by Alexandru Coltuneac (dekeeu) , , , No comments


The base URL for this vulnerability will be : http://feedburner.google.com/fb/a/emailFlare?itemTitle=test&uri=test
If you open the link above in browser you can see that the basic form which allows you to email a "Flare" to a random e-mail address.

So, if you complete that form with random data but with the right captcha value you will be redirected to the next page which will contain my inserted payload. But, let's see first what request is made after you hit "Send Message" button :



Now, change the refferer parameter value with this payload: javascript:alert(1) . In the next page that will open, click on Return to the original web site text and you will notice that my alert() function was executed:



So, at this time, my flaw is just a self-xss because of that Captcha value which exists in every request. But, after some researching I found out that after every request for this page: http://feedburner.google.com/fb/a/emailFlare?itemTitle=test&uri=test , a new Captcha request is made: http://feedburner.google.com/fb/a/captcha?ct=RANDOM_DATA which will contain the captcha solution for the current form. That captcha value won't expire until someone will complete a form using that value:



So, let's assume that user A (tst22121996@gmail.com) wants to steal user's B (dekeeu@gmail.com) cookies. First, he will open this page in browser: http://feedburner.google.com/fb/a/emailFlare?itemTitle=test&uri=test , will intercept the traffic and using the Captcha request which will be made, will note the solution value for his Captcha and the value of ct parameter without submitting the form .

After that , he will make a new html page, completing token and captcha fields from the form below with the new obtained values:



Now, he saves all as a .html page and sends it to his victim, user B. When he will open that page and will click on "Return to the original web site" text, the alert() will pop-up.



This bug was validated , fixed and rewarded by Google Security Team.

Thanks !