Saturday, 6 June 2015

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Web Security Vulnerabilities

About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com Open Redirect Security Vulnerabilities



Vulnerability Description:
About.com all "topic sites" are vulnerable to XSS (Cross-Site Scripting) and Iframe Injection (Cross Frame Scripting) attacks. This means all sub-domains of about.com are affected. Based on a self-written program, 94357 links were tested. Only 118 links do not belong to the topics (Metasites) links. Meanwhile, some about.com main pages are vulnerable to XSS attack, too. This means no more than 0.125% links are not affected. At least 99.875% links of About Group are vulnerable to XSS and Iframe Injection attacks. In fact, for about.com's structure, the main domain is something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page's search field is vulnerable to XSS attacks, too. This means all domains related to about.com are vulnerable to XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DDOS (Distributed Denial-of-Service Attack) to other websites, too.
Here is one example of DDOS based on Iframe Injection attacks of others.
http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

In the last, some "Open Redirect" vulnerabilities related to about.com are introduced. There may be large number of other Open Redirect Vulnerabilities not detected. Since About.com are trusted by some the other websites. Those vulnerabilities can be used to do "Covert Redirect" to these websites.





Vulnerability Disclosure:
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No one replied. Until now, they are still unpatched.




















Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@Justqdjing)




(1) Some Basic Background

(1.1) Domain Description:

"For March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month." (The New York Times)

"About.com, also known as The About Group (formerly About Inc.), is an Internet-based network of content that publishes articles and videos about various subjects on its "topic sites," of which there are nearly 1,000. The website competes with other online resource sites and encyclopedias, including those of the Wikimedia Foundation, and, for March 2014, 61,428,000 unique visitors were registered by comScore for About.com, making it the 16th-most-visited online property for that month. As of August 2012, About.com is the property of IAC, owner of Ask.com and numerous other online brands, and its revenue is generated by advertising." (Wikipedia)

"As of May 2013, About.com was receiving about 84 million unique monthly visitors." (TechCrunch. AOL Inc.)

"According to About's online media kit, nearly 1,000 "Experts" (freelance writers) contribute to the site by writing on various topics, including healthcare and travel." (About.com)





(1.2) Topics Related to About.com
"The Revolutionary About.com Directory and Community Metasite. Hundreds of real live passionate Guides covering Arts, Entertainment, Business, Industry, Science, Technology, Culture, Health, Fitness, Games,Travel, News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms, Education, Computers, Hobbies and Local Information." (azlist.about.com)

About.com - Sites A to Z 
Number of Topics
A: 66
B: 61
C: 118
D: 49
E: 33
F: 57
G: 39
H: 48
I: 32
J: 15
K: 13
L: 36
M: 70
N: 26
O: 23
P: 91
Q: 4
R: 32
S: 104
T: 47
U: 12
V: 9
W: 43
X: 1
Y: 4
Z: 1
SUM: 1039

Reference:

In fact, those are not all topics of about.com. Some of the topics are not listed here such as,

So, there are more than 1000 topics related to about.com.






(1.3) Result of Exploiting XSS Attacks

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. 

Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results:

    "Identity theft
    Accessing sensitive or restricted information
    Gaining free access to otherwise paid for content
    Spying on user’s web browsing habits
    Altering browser functionality
    Public defamation of an individual or corporation
    Web application defacement
    Denial of Service attacks (DOS)
" (Acunetix)




(1.4) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities
"In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. The attacker induces the browser user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame; and then JavaScript executing in the attacker's page steals data from the third-party page." (OWASP)

"XFS also sometimes is used to describe an XSS attack which uses an HTML frame in the attack. For example, an attacker might exploit a Cross Site Scripting Flaw to inject a frame into a third-party web page; or an attacker might create a page which uses a frame to load a third-party page with an XSS flaw." (OWASP)




(1.5) Basic of Open Redirect (Dest Redirect Privilege Escalation) Vulnerabilities
"An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it." (OWASP)

Open redirect is listed in OWASP top 10. The general consensus of it is "avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user's trust."




Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the following web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.





(2) About Group About.com All Topics (At least 99.88% links) Vulnerable to XSS (Cross-Site Scripting) Security Attacks


Domain:



Vulnerability description:

A method was found to attack users of About.com based XSS attacks. 

All links under the topics of about.com can be used for this attack.

Just attach "/lr/" to any About.com's sub-domains. Then attach "any codes + sciript" or attach "script" code directly is OK. The structure is "http://subdomain.about.com/lr/*/script_code/*".


The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.




























































POC Codes, e.g.
/"><svg/onload=alert(/justqdjing/)>
http://ipod.about.com/lr/ipad_how-tos/9033"><svg/onload=alert(/justqdjing/)>
http://dc.about.com/lr/shopping/a/BlkFriday.htm/"><svg/onload=alert(/justqdjing/)>







(3) About Group About.com Main Page's Search Field XSS (Cross-Site Scripting) Security Vulnerabilities


Vulnerability description:

The web application About.com online website has a security bug problem. It can be exploited by XSS attacks.

The code programming flaw occurs at about.com main page's search field, e.g.





















POC Codes, e.g.
"--/>"><img src=x onerror=prompt(/justqdjing/)>
http://www.about.com/?q="--/>"><img src=x onerror=prompt(/justqdjing/)>









(4) About Group About.com All Topics (At least 99.88% links) Vulnerable to Iframe Injection (Cross Frame Scripting) Security Attacks



Vulnerability description:
About Group has a security problem. It can be exploited by Iframe Injection (Cross Frame Scripting) attacks.


The vulnerability occurs at about.com "offsite.htm" page with "zu" parameter, e.g.

Use "http://whitehatpost.blog.163.com/" for the following test.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 









































Vulnerable URLs:







POC Video:









(5) About (about.com) Open Redirect Multiple (Dest Redirect Privilege Escalation) Security Vulnerabilities

About Group online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 


Use one of webpages for the following tests. The webpage address is "http://www.inzeed.com/kaleidoscope/". Suppose that this webpage is malicious.



Vulnerable URL 1:


POC:




Vulnerable URL 2:

POC:




Vulnerable URL 3:

POC:





















No comments:

Post a Comment