DOM Based XSS found at Nokia OVI Store Homepage

Vulnerability Type: Cross Site Scripting
Vulnerable Domain: http://store.ovi.com/
Status : Fixed

Detailed Writeup : Last year , i reported a critical DOM Based Cross Site Scrtiping Vulnerability on the hompeage of nokia Ovi Store http://store.ovi.com/ . The website uses CORS (Cross Origin Resource Sharing)mechanism to load the content in a particular area(div) of the page via XMLHttpRequests . So lets look on one of the url :

http://store.ovi.com/#/applications?categoryId=14

The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:

1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:

The location of the content to be loaded in the particular div is in the url means “Location.hash” . I use Dominator often. Its a very useful tool . So, i fuzzed the url with Domi and i got something like this:

1 Alert whose source is location.hash and sink is XMLHR.open . Pretty nice 🙂 . I opened the url in Google Chrome and in the console tab i get this:

Tried to put some junk text just to know whats going on ? For example

http://store.ovi.com/#/jasminder

will result in the following.

Since the sink was XMLHR.open , i tried to put my website after the hash. but..

Now there was a dedicated XHR sent to my domain. After bypassing the Same origin policy . I could get the javascript executed on site

This DOM Based XSS afftected the whole site . Below is the video POC of how i exploited this vulnerability to steal any user login details. Enjoy It 🙂

I got Nokia Lumia 820 as a reward for this vulnerability.
Thanks to the following people :

https://twitter.com/kkotowicz
https://twitter.com/WisecWisec
https://twitter.com/netfuzzer
(Visited 18 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *