A Short Story on XSS sitting inside Login Page

A Short Story on XSS sitting inside Login Page


Hi Everyone,

In this blog I will be discussing about xss in authentication. I prefer writing less about xss in the blog post but the xss which I found in 123contactform was from no where. So this forced me to write this blog post.

About 123Contact Form:-
123ContactForm is an online web form and survey builder. It helps designers create powerful web-based forms and surveys without any technical knowledge.
123ContactForm has become a worldwide top class online form and survey builder.
Well This all their site says under About Section

Introduction:-
Everyone knows about XSS, If not then you can refer from here.
Usually we find XSS either in url or in search parameter and so on...but what about authentication pages ?
If we talk about authentication page OR login page, we generally test for SQLi, Authentication bypass or Broken authentication related bugs and etc.

Well Do we think about XSS ???

Proof Of Concept:-

 The story starts when  I was on Login Page of 123Contact Form this time I was not thinking about SQLi , not authentication bypass and not about session related bugs but what I was thinking is XSS.

So rather than writing my username and password, I simply injected xss script as a payload in username field. I know this might me funny try from my end. After injecting the script I fired up burp suite to see the request-response in order to check where my payload is landing and whether they have any server side validation check or not.

I was so shocked to see the response :D

Below is the screenshot of the response:-



My input reflects in response as it is :D Well this is what an Xsser wants.




  • Vulnerable parameter:   Username and Password field



So I reported XSS Bug with my all time favorite CSRF ;)

After reporting XSS bug I got reply from their Support team.



 Hmmm So you guys seriously fixed all XSS bug ?? Ans is NO.

Well Again I XSSed their Create Account Section :P





2nd XSS on Create Account Section:- 



Finally they patched the bug:-


123ContactForm fixed this issue and put my name on their security acknowledgements list.


 Moral Of the Story: 
- Try thinking out of the box
- Always try new things and push yourself
- Easy findings always around you, but you just have to act smart to find that.


Time-Line:

Vulnerability timeline:

Aug  7, 2015  at 1:59 PM:  Reported to 123Contact Form Team
Aug 11, 2015 at 3:17 AM:  Received initial reply from 123Contact Form Team
Aug 12, 2015 at 4:26 PM:  123Contact Form Team released a quick fix for the vulnerability
Aug 12, 2015 at 4:42 PM:  Again Reported Another XSS
Sep 10, 2015 at 1:32 PM : 123Contact Form Team released a quick fix for the vulnerability
Oct  14, 2015 at 4:47 PM : Full disclosure

Share this

Nilesh Sapariya

Related Posts

Next
« Prev Post
Previous
Next Post »

2 comments

Write comments
LinuXamination
11 March 2016 at 06:53 delete

Hi Nilesh,
Really good story. I have a query I want to know how to inject xss attacks in inner forms of web page (forms appear after login, My profile page or my account). Please share your thoughts or url.

Thanks
Avinash

Reply
avatar
Nilesh Sapariya
11 March 2016 at 07:29 delete

Hi Avinash,

Thanks for your comments. Sure I am happy to resolve your doubts or query.

You can ping me on my email address :)

Regards,
Nilesh S

Reply
avatar
Subscribe to: Post Comments (Atom)