DOM Based XSS found at Nokia OVI Store Homepage

Post Pic Not Available

Vulnerability Type: Cross Site Scripting
Vulnerable Domain:
Status : Fixed

Detailed Writeup : Last year , i reported a critical DOM Based Cross Site Scrtiping Vulnerability on the hompeage of nokia Ovi Store . The website uses CORS (Cross Origin Resource Sharing) mechanism to load the content in a particular area(div) of the page via XMLHttpRequests . So lets look on one of the url : The location of the content to be loaded in the particular div is in the url means "Location.hash" . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this: 1 Alert whose source is location.hash and sink is . Pretty nice :) . I opened the url in Google Chrome and in the console tab i get this: Tried to put some junk text just to know whats going on ? For example will result in the following. Since the sink was , i tried to put my website after the hash. but.. The http request was still being made to which wont work obviously. I want the site to send XHR to be sent to only. Then after doing some research i got to know about absolute URLs.Then i figured out a Classic vector which works with Chrome :\ and Perfect . I made it :) Now there was a dedicated XHR sent to my domain. After bypassing the Same origin policy . I could get the javascript executed on site.: This DOM Based XSS afftected the whole site . Below is the video POC of how i exploited this vulnerability to steal any user login details. Enjoy It :)
I got Nokia Lumia 820 as a reward for this vulnerability.
Thanks to the following people :

Share It!


comments powered by Disqus