Many websites allow users to input URLs, such as links to social media profiles or personal websites.
A common method for such attacks involves using the JavaScript pseudo protocol in URLs.
Successful exploitation of this method generally hinges on the server having inadequate URL validation.
I've encountered an intriguing scenario on several websites where, despite successfully getting a JavaScript protocol URL into an anchor tag, the browser blocks its execution.
The remainder of this post will cover two stored XSS vulnerabilities I reported to Microsoft and Wix based on the above mentioned technique.
The API endpoint responsible for creating new bookmarks lacked server-side validation for the user-provided URL. The server allows any URL, including the JavaScript protocol, that leads to stored XSS. However, as I explained earlier, the anchor tag where our URL is used has the attribute target= blank, which makes exploitation harder.
I could not find any way to share those bookmarks across accounts, which means the stored XSS is only on our account, which is not very useful.
The Microsoft My Apps website allows users to log into multiple accounts simultaneously and switch between accounts as needed.
Since we can only exploit our account, getting a target to take it over would give us access to their account since all the accounts have the same origin.
The idea was to find a way to automatically log any Microsoft account into our malicious account that already had the stored XSS payload. The SSO integration was a perfect vector to test this hypothesis.
Since the user is logged into our account, we know exactly where our malicious bookmark is, allowing us to position it perfectly inside the iframe.
With a bit of CSS, we can scale the iframe and make it invisible, so any click inside our malicious site would result in the user clicking our bookmark.
In the proof of concept I made for Microsoft, I first got the user to click anywhere on the screen and then requested the user to press CTRL+ENTER on their keyboard.
If the user followed the instructions, arbitrary JavaScript would execute.
It's important to remember that when the JavaScript is executed, the target is logged into our account, which isn't very useful.
Some access tokens for all connected accounts are stored in localStorage.
These tokens persist even when a user switches between accounts.
Wix, one of the most popular website-building platforms in the world, features a marketplace that lets developers create components for use on Wix websites.
A new window is opened to the following URL, which renders our links.
The resulting URL can be shared with anyone if the JWT is valid.
This Cyber News was published on www.imperva.com. Publication date: Thu, 15 Feb 2024 17:13:04 +0000