Search This Blog

Showing posts with label XSS Flaw. Show all posts

Cross Site Scripting Bugs Identified in Google Cloud and Play


A security researcher recently discovered a pair of vulnerabilities in Google Cloud, DevSite, and Google Play allowing hackers to launch cross-site scripting (XSS) attacks, and creating the way for account hacking. 

The first vulnerability is a reflected XSS flaw in Google DevSite. The hacker could exploit the vulnerability by employing malicious links to run JavaScript on the origins and, meaning a malicious actor could read and alter its contents, circumventing the same-origin policy. 

“Due to a vulnerability in the server-side implementation of part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page,” researcher ‘NDevTK’, explained in a blog post. 

The second vulnerability is a DOM-based XSS on Google Play. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This allows hackers to implement malicious JavaScript, which typically paves a way to hijack other users’ accounts.

The researcher explained in his blog that the CSP would mitigate the Google Play XSS vulnerability. Yet, Google still preferred to reward the bug discovery with a hefty bounty of $3,133.70 for the DevSite bug and $5,000 for the vulnerability in Google Play. 

“On the search page of [the] Google Play console vulnerable code was run when the search resulted in an error. Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel,” the researcher added. 

Last year in November, a researcher at Persistent System unearthed cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code. The hackers exploited the vulnerability by sending an HTML file to the target that contained a cross-site request forgery (CSRF). 

If the target opened the file, the CSRF script started operating and the query was stored in the browser’s search history. When the user opened an NTP for a second time and clicked on the Google search bar, the malicious code was triggered.

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.

Expert Posts About Blogger's CSP Flaw

A cybersecurity expert found a strategy to escape Content Security Policy (CSP) functions via WordPress. The hack, found by Paulos Yibelo, depends on exploiting origin method execution. The strategy incorporates JSON padding to execute a function. 

It allows the exploit of a WordPress account, however, along with cross-site scripting (XSS) exploit, that the expert doesn't have as of now. Yibelo hasn't tried to use the trick on live websites yet, limiting the exploits for test research websites owned by the experts. 

“I haven’t really attempted to because it requires a logged-in WordPress user or admin to visit my website, so I install the plugin and have an HTML injection – which is illegal to do," said Yibelo. He also mentioned that they didn't try to abuse the bug in the open on bug bounty forums. 

The exports informed WordPress about the issue three months ago, however, the latter didn't reply. It was then that Yibelo published the findings publically on a tech blogpost. 

Attacks may happen in two situations: First, websites that don't use WordPress primarily but have a WordPress endpoint on the same domain or subdomain. Second, a WordPress-hosted website that uses a CSP header. 

Yibelo's blog says if an attacker finds an HTML injection vulnerability within the main domain (ex: – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full-blown XSS that can be escalated to perform [remote code execution] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP. 

Yibelo hopes that wordpress fixes this issue soon for CSP to stay relevant on WordPress endpoint hosting sites. CSP is a technology established by sites and in use by browsers that may restrict resources and block XSS attacks. 

Port Swigger reports "CSP is a browser security mechanism that aims to mitigate XSS and some other attacks. It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be framed by other pages."

Zero-Day Vulnerability Exploited in Zimbra Email Platform to Spy on Users


As part of spear-phishing campaigns that began in December 2021, a threat actor, most likely of Chinese origin, is proactively trying to attack a zero-day vulnerability in the Zimbra open-source email infrastructure. 

In a technical report published last week, cybersecurity firm Volexity described the espionage operation, codenamed "EmailThief," stating that successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user's Zimbra session. 

The incursions, which commenced on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the moniker TEMP HERETIC, with the attacks focused on European government and media organizations. The zero-day vulnerability affects Zimbra's most recent open-source edition, version 8.8.15. 

The assaults are said to have been carried out in two stages, with the first stage targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. Multiple waves of email messages were sent out after that to lure users into clicking on a fraudulent link. The attacker used 74 different email identities to send the messages out over two weeks, with the initial recon emails having generic subject lines ranging from invitations to charity auctions and refunds for airline tickets. 

Steven Adair and Thomas Lancaster noted, "For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook." 

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, providing constant access to a mailbox, sending phishing messages from the hijacked email account to spread the infection, and even facilitating the installation of new malware. 

The researchers stated, "None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups."  

"However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor." 

Further the company recommended, "Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15."  

Live XSS Flaw Exists in DMCA-dot-com


The user interface of the takedowns website DMCA-dot-com has an active cross-site scripting (XSS) vulnerability. It's been there for almost a year and has not been addressed. 

After more than a year of attempting and failing to convince DMCA-dot-com to take the XSS seriously, Infosec researcher Joel Ossi, founder of Dutch security firm Websec, disclosed his findings. "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface that allowed him to create an XSS. 

A copyright takedown service is DMCA-dot-com. Users pay the site to conduct the time-consuming task of obtaining an alleged copyright infringer's work to be removed from the Internet utilising the infamous US Digital Millennium Copyright Act. The cost of a takedown could be as high as $199. 

On a video conference with The Register, Ossi shared his findings in real-time. The typical XSS tell-tale — a popup with a personalized message – displayed every time he navigated to a new webpage in the DMCA-dot-com user area. The script for doing so was actually fairly straightforward: When he originally discovered the flaw in late 2020, he spent a year attempting and failed to obtain the attention of the operators of DMCA-dot-com. 

DMCA-dot-last com's message to Ossi stated, "Our development team will be reaching out if / when they need to. Our support department cannot help you on this," as he tried to persuade helpdesk staff to forward his vulnerability report. When he asked for a bug bounty, El Reg confirmed that Ossi had made complete confidential disclosure of his discoveries before addressing the issue of payment.

Both Ossi and The Register attempted to contact DMCA-dot-com several times and in The Register's instance, the company didn't even respond to the attempts to reach them. While Ossi was the first to discover the XSS flaws in DMCA-dot-com, he isn't the only one. Two different entries on the Open Bug Bounty site, one from April and the other from June, indicate XSS vulnerabilities in DMCA. 

Cross-site scripting vulnerabilities, let a malicious person run scripts on another person's website. The problem often exists because free text entry forms do not sanitize user inputs, as per MITRE. An attacker could gain access to a DMCA-dot-com account by extracting active login tokens from cookies. According to Ossi, it wouldn't take much to falsely bill for services, remove DMCA-dot-com's security features from a webpage, or delete an account. 

Jake Moore, a global cybersecurity advisor to infosec firm ESET, told The Register: "Cross-site scripting vulnerabilities can allow an attacker to masquerade as a standard user and carry out any actions that the user is able to perform such as access the user's data. User accounts can then ultimately be compromised and credentials or other information could be stolen with great ease." 

Immersive Labs' app security specialist Sean Wright further added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client-side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

It's anticipated that someone at DMCA-dot-com pays attention to the flaw disclosure from a year and a half ago.

New Vulnerabilities Expose EVlink Electric Vehicle Charging Stations to Remote Hacking


Schneider Electric confirmed the discovery and patching of multiple vulnerabilities in EVlink EV charging stations, which might expose these deployments to hostile hackers, in a security advisory. 

The flaws are found in the EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), and Smart Wallbox (EVB1A) equipment, as well as other items that will be terminated. 

Cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws stand out among the vulnerabilities addressed, both of which could be used to launch actions impersonating legitimate users; additionally, a vulnerability was addressed that could give attackers complete access to charging stations via brute force attacks. 

According to the Common Vulnerability Scoring System, the most serious vulnerability obtained a score of 9.3/10. (CVSS). The firm warns that exploiting the major issue could result in serious consequences. 

Schneider’s notice stated, “Malicious manipulation of charging stations could lead to denial of service (DoS) attacks, deregistration, and disclosure of sensitive information.” 

The majority of these flaws require physical access to the system's internal communication ports, while some more sophisticated assaults can be carried out remotely over the Internet. The vulnerabilities entail sending specially crafted queries, according to Tony Nasr, the researcher who first disclosed the flaws, and exploitation does not require interaction from vulnerable users. 

“Attacks allow threat actors to exploit compromised EVCS in a similar way to the operation of a botnet, allowing the deployment of various attacks.” 

Exploiting the CSRF and XSS vulnerabilities, on the other hand, necessitates a certain level of user engagement. While Internet-oriented EVlink implementations are the most dangerous attack vector, cybercriminals might still pose a serious security risk to these stations over LAN, as the EVlink configuration needs network connectivity for remote control and more efficient management. 

Nasr concluded by stating that these flaws were discovered as part of a larger research on charging station management systems for electric vehicles. The study's full findings will be released in the coming months.

Newly Discovered XSS Flaw in Google Chrome’s ‘New Tab’ Page Evades Security Feature


A cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code has been patched by the Chromium team. 

Threat actors can exploit the vulnerability by sending an HTML file to the target that contains a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search query to Google, said Ashish Dhone, cybersecurity researcher at Persistent System who discovered the vulnerability.

If the target opens the file, the CSRF script starts operating and the query is stored in the browser’s search history. When the user opens an NTP for a second time and clicks on the Google search bar, the malicious code is triggered.

The situation worsens, if the user was logged into their Google account when opening the malicious file, the request will be saved to their account’s search history and triggered on any other device where their Google account is logged in. 

“I wanted to find XSS in Chrome, hence my hunting started with the desktop application of Google Chrome. I was looking for HTML markup functionality where XSS can be executed. After spending hours, somehow, I found that in NTP, stored search queries are not sanitized and then I was able to execute [the uXSS],” Ashish stated. 

UXSS attacks abuse client-side flaws in a browser or browser extensions in order to generate an XSS condition and execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” Dhone explained.

While the vulnerability is dangerous, other researchers have pointed out that it is not a uXSS. “This XSS is a classic DOM-based XSS, where user-controlled text is assigned as an HTML using innerHTML,” security researcher Jun Kokatsu explained. 

Chrome’s NTP exposes Mojo.JS bindings that can send inter-process communication (IPC) messages to the browser through JavaScript code. The XSS bug could abuse this IPC channel to exploit a bug in the browser process, which executes at a much higher privilege than code running in web pages. 

“Usually, getting control over sending arbitrary IPC requires native code execution in the renderer process such as memory corruption bugs in the JS engine,” Kokatsu said. “However, because the IPC channel was exposed to JS directly in NTP, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”