Remote XSS Attack Using CSRF in PayPal's Partner Site to Gain Unauthorized access to Victim's Account
I Hope you're all hustling & hacking with positive attitude ;) .Well it's time for a new post,before starting with the post first of all i would like to say Thanks to all my readers for such an awesome feedbacks,likes,tweets,retweets,emails from all over the world for my last post Remote Code Execution in a PayPal's server.
I would also like to Thank HackerOne for mentioning my article in Top Stories of their Zero Daily Hacking Newsletter .
So lets start
Hunting Cross site scripting ( XSS ) is one of the most tricky issue when bypassing WAFs & Interesting when you want to turn a simple Self Stored XSS to a remote XSS attack.There are various ways our infosec community has come up with you can refer below :
Yes! Luckily i found that PayPal's Partner site : https://www.paypal-brandcentral.com/ had the "Collection Name" as "name" parameter vulnerable to Cross Site Scripting but unfortunately it was an Self XSS which didn't satisfy me for reporting it directly so as soon as i found the Self XSS i checked the application if it has any kind of CSRF Protection implemented and found that nothing was in place.
Therefore,a malicious user can craft a CSRF attack to create a collection with a "XSS Payload" as a name of collection (as the parameter was vulnerable to XSS ) to make this Self XSS to profitable XSS & send it to the victim :
<html> <body> <form action="https://www.paypal-brandcentral.com/!/Lightbox/createNode/" method="POST"> <input type="hidden" name="name" value=""></title>"><svg/onload=prompt(document.cookie);>" /> <input type="hidden" name="itemId" value="0" /> <input type="hidden" name="itemType" value="" /> <input type="hidden" name="guid" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Once the victim opens the above CSRF attack POC hosted link , a collection with the malicious XSS payload will be created & executed (As the application saves & shows the list of all collections within the application with their respective name & name parameter is now saved as an XSS Paylod )which would lead to redirect / steal cookies etc.Below is a snapshot of xss payload executed after visiting the POC Link :
In this way attacker would gain access to the victim's account by making a huge advantage of no implementation of CSRF tokens to prevent csrf attacks across the application. That's it !
Thank you ! I hope you enjoyed. Let me know your feedbacks regarding the post via comments or you can shot me an email at [email protected] for any enquiries .
Oh wait ! Are you Interested in Wifi Hacking or Really keen to know how / what's the actual methodoloy of Wifi Hacking ? I would recommend an awesome book written by @rootSh3ll which is
I'm not here for promotion but the quality content written by @rootsh3ll is pretty much worth sharing & profitable for one who is seeking to learn something new & interesting. You can read out few chapters at his website : Wireless Pentesting and Security The Ultimate Guide. You can avail flat 20 % off using the discout coupon : "PentestBegins".
Thank you ! Please let me know if you have any questions.Happy Hacking & Stay Positive !