Tuesday, October 29, 2013

eBay XSS finding

I would like to elaborate the reflected XSS finding that I have reported to eBay during the bug bounty program.

While I was playing with the proxy, I focused on the value of the parameter cb (refers to callback) in the request sent to the URLs
 http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
http://www.ebay.com/itm/ws/eBayISAPI.dll?ViewItemLite

I noticed that value is returned in the response in a JavaScript context without filtering or encoding in both URLs. Here's a snippet from the request sent to the rewards page with a sample injection  alert(123); in the cb parameter

GET /ws/eBayISAPI.dll?GetRewardsInfo&item=121071656603&ShowRewards=true&isBucksNew=true&isInvited=false&baseOffer=2&bucksLink=http://my.ebay.com/ws/eBayISAPI.dll?RewardsIntEnroll&CTASignup=false&ExtLanding=false&ssPageName=VI:joinrewards&isEnrolled=false&isClosedVI=false&myebayBucksLink=null&ShowCoupon=false&IsBidFlow=true&ShowBML=true&IsViewItem=true&item=121071656603&cb=alert(123);jQuery1707709477525318212_1361715451002 HTTP/1.1
Host: rewards.ebay.com


The injected value returned in a JavaScript response without filtering or encoding as shown below

alert(123);jQuery1707709477525318212_1361715451002({"couponLinkMsg":null,"nectarOverlayContent":null,"css":"span.offer-bmlcnt>span{font-family:Verdana;font-size:10px;color:#666}.....

No tags are needed in the injected string because the context of the response is already JavaScript.

For a proof of concept: I did the following steps:

1-    Navigated to www.ebay.com
2-    Searched for an item
3-    Clicked on one of the resulting items
4-    Used a proxy to tamper the parameter “cb” while calling http://rewards.ebay.com/ws/eBayISAPI.dll?GetRewardsInfo
5-    The script got executed as shown below:





eBay fixed the issue and added my name to their hall of fame list over http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html 

Bug bounty program rules for eBay is available on http://pages.ebay.com/securitycenter/Researchers.html

Monday, October 28, 2013

Etsy Authorization Bypass Vulnerability

This is an elaboration for the authorization bypass vulnerability I have reported to Etsy through their bug bounty program.

The vulnerability allows an attacker to disclose purchase data of users. For example, it allows disclosing who bought what from whom with what feedback.  It allows also disclosing who is buying what right now.  The vulnerability exists in the Etsy API. These are the steps that I have followed to discover the finding:

First, I followed the steps in http://www.etsy.com/developers/documentation to acquire an API key in order to be able to call the Etsy API methods

Then, I navigated through the available API methods and I found the method "findAllUserBuyerTransactions"  (Its reference is available on  http://www.etsy.com/developers/documentation/reference/transaction#method_findalluserbuyertransactions )

This method retrieves transactions information of buyers. It requires OAuth authentication in order to retrieve data of a certain user. The API method should be called by sending a request to the API URL: http://openapi.etsy.com/v2/users/:user_id/transactions while entering the user id of the currently authenticated user and using OAuth token given from Etsy for such user.  I developed a simple PHP app to call the API method while following the guidelines over http://www.etsy.com/developers/documentation/getting_started/oauth .


A code snippet from the PHP app that uses OAuth will be like:


$data = $oauth->fetch("https://openapi.etsy.com//
                         v2/users/12345678/transactions", 
                            null, OAUTH_HTTP_METHOD_GET);
$json = $oauth->getLastResponse();
print_r(json_decode($json, true));

The generated HTTP request will be something like:

GET /v2/users/12345678/transactions?oauth_consumer_key==abcdefgc12345678abcdefg123456789&oauth_signature_method=HMAC-SHA1&oauth_nonce=102215147874bdd40d6.39711914&oauth_timestamp=1363642187&oauth_version=1.0&oauth_token=abcdefgc12345678abcdefg123456789&oauth_signature=abcdABCD12345qYNyklT9LeEo%3D HTTP/1.1 
User-Agent: PECL-OAuth/1.2.2 
Host: openapi.etsy.com 
Accept: */*

Now, let's hack. The method is expecting me to pass the user id which is mapped with the OAuth token retrieved from Etsy for such user. What I did is passing  a user id of another user while calling the method by my PHP app.  For example, instead of sending 12345678, I sent 87654321.

Normally, it should return an "unauthorized access" response.  Well, it did not. The response contained data. The result was a JSON response that correlated buyer_user_id, seller_user_id, listing_id (item
purchased), buyer_feedback_id. 


Below is a sample  for how the response would look like:


{"count":2,"results":[{"transaction_id":33,"title":"Minnie Mouse Dress","description":"This precious Minnie Mouse dress is perfect for your Minnie birthday party or a trip to meet Mrs. Mouse herself.","seller_user_id":346,"creation_tsz":12545,"tags":["clothing","children","dress","costume","girl“],"materials":["polyester","cotton"],"image_listing_id":157207512,"listing_id":456,"seller_feedback_id":null,
"buyer_feedback_id":34567,"url":"http:\/\/www.etsy.com\/transaction\/123","variations..}

At the end, we can have a table like the one below

Buyer
user  id
Seller user id
Listing id
Buyer feedback id
876XXXX
345XXXX
890XXX
245XXXX
876XXXX
789XXXX
567XXX
567XXXX

The ids in the table can be mapped to names of buyers, sellers and products in addition to feedback messages with API methods that do not require OAuth tokens.

I kept searching for other methods that might have problems, and I found another API method that had a quite similar vulnerability which  is the  "getUserCart" method (available on  http://openapi.etsy.com/v2/users/users/:user_id/carts/:cart_id)

Such method is mainly designed to retrieve cart info for a certain user. Such method requires an OAuth token. Again, I played with the user id and it worked. However, this seemed to be hard to exploit because the attacker will need to predict cart id for a certain user id  in order to work. At least this is what I thought at the beginning. The fact is that the attacker did not need to supply a valid user id at all. He would just supply a valid cart id and it will get the info of such cart regardless of the user id. I was happy with that.

Etsy fixed the issues, rewarded me, sent me a T-Shirt and added my name to their hall of fame list over http://www.etsy.com/help/article/2463 .  Etsy is one of the best bug bounty programs I have participated in. They are fast and professional.

Bug bounty program rules for Etsy is available on  http://www.etsy.com/help/article/2463