I seem to be running in to quite a few ‘Post xss’ vulnerabilities lately. I generally try to find a csrf to turn it in to a more valid threat.
A few months ago I was reviewing a popular web based marketplace software and discovered a Post xss when modifying parameters on an in cart item. Yes! I was able to find a csrf that made the Post xss a little more exploitable.
This alone could have been a stopping point, but how do I make sure that there is something in the victims shopping cart to begin with? If the cart is empty our payload will not work. You guessed it! Luckily enough I was able to find another csrf that allowed me to add an item to the victims cart.
The culmination of this was to include both csrf vulnerabilities into the same poc html. The first adds the item to the victims cart and the second modifies the item to insert our xss code. In the poc I had it auto submit both requests opening two separate tabs so that we can see what is happening.
The problem is that the first csrf vulnerability needs to have time to add an item to the cart before the second one tries to modify a parameter on said item to include our payload. For this I used
<form id=”additemcsrf” target=”_blank” form action=”etc etc” and
<form id=”csrftoxss” target=”+blank” form action=”etc etc”
Then to bring them together and add timing so that the item gets added to the cart before we modify it with the second csrf.
document.getElementById(“additemcsrf”).submit();
window.setTimeout( function () { document.forms.csrftoxss.submit()}, 1000);
This will let the item get added with enough time for the second tab to open and our XSS to pop. Also after the item in carts parameters have been modified the xss will execute every time the victim views their shopping cart until the item is removed.
Luckily I only needed two csrf vulnerabilities to make the xss pop however if needed we could chase all around the site until all of the conditions were met via forged forms.
Public disclosure forthcoming after the allocated time frame has ended.
Cheers!
~M
Matt Landers 