Tuesday, February 17, 2015

Whitelisting goes wrong


Its been a while. No recent bounty post as I'm already slowing down on that and focusing on new workplace. But still doing my favourite stuff, pentesting :)

Last December, I did testing on one of the client's web application. Going to share one of the findings that for me quite interesting.

This application used purposely for state mapping service. A user can view the updated geoportal on their state by browsing to this application.

There are two frames available, on the left side shows the updated map while on the right side contain the updated information regarding the place where it being controlled by another application. The right column in fact actually, only being iframed on this geoportal site.

Making this thing interesting is that, the source for iframe point was already being whitelisted only x.xxx.xxx.com that can be used on this geoportal application. Any that that it'll be rejected. Other known special characters also were properly filtered to avoid XSS attack. However, this URL source point can be controlled by a user!

A little of testing discovered that, the AWL used was quite poor because all it will check was actually x.xxx.xxx.com must be in the source URL. So let say, I change the source URL into http://www.google.com/x.xxx.xxx.com/blalala it will be a valid URL and that application will process the request.

Knowing this issue, I just create a HTML file containing XSS payload and then host it on my external server. Of course the name of my file will be x.xxx.xxx.com.html

Owh well. that's how it goes.

bye :)