DOM Based XSS found at Nokia OVI Store Homepage

Vulnerability Type: Cross Site Scripting
Vulnerable Domain: http://store.ovi.com/
Status : Fixed

Detailed Writeup : Last year , i reported a critical DOM Based Cross Site Scrtiping Vulnerability on the hompeage of nokia Ovi Store http://store.ovi.com/ . The website uses CORS (Cross Origin Resource Sharing)mechanism to load the content in a particular area(div) of the page via XMLHttpRequests . So lets look on one of the url :

[pastacode lang=”markup” manual=”http%3A%2F%2Fstore.ovi.com%2F%23%2Fapplications%3FcategoryId%3D14%0A” message=”” highlight=”” provider=”manual”/]

The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:

1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:

The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:

1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:

Tried to put some junk text just to know whats going on ? For example

[pastacode lang=”markup” manual=”http%3A%2F%2Fstore.ovi.com%2F%23%2Fjasminder%0A” message=”” highlight=”” provider=”manual”/]

will result in the following.

Since the sink was XMLHR.open , i tried to put my website after the hash. but..

Now there was a dedicated XHR sent to my domain. After bypassing the Same origin policy . I could get the javascript executed on site

This DOM Based XSS afftected the whole site . Below is the video POC of how i exploited this vulnerability to steal any user login details. Enjoy It 🙂

I got Nokia Lumia 820 as a reward for this vulnerability.
Thanks to the following people :

[pastacode lang=”markup” manual=”https%3A%2F%2Ftwitter.com%2Fkkotowicz%0Ahttps%3A%2F%2Ftwitter.com%2FWisecWisec%0Ahttps%3A%2F%2Ftwitter.com%2Fnetfuzzer” message=”” highlight=”” provider=”manual”/]

(Visited 5 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *