[ CWE-79 ] *.nastyfans.org is vulnerable to script injection
Hi Guys!
I hope you are doing great in this difficult time of pandemic. I just want to bring attention to that website https://nastyfans.org/ and https://analyzer.nastyfans.org/ are leaking security information and are vulnerable to script injection.
As an honest disclosure, I would like to share some requests and responses to the server that proves my point and after that a POC.
Request:
Response:
The response clearly shows that s parameter is reflected here and could be vulnerable to cross site scripting, but wait we are not confirmed yet. Let's move to another part i.e. https://analyzer.nastyfans.org/ , here we have search function which leaks the search code as below:
Ohh...wait a minute do you see the s parameter here too
, yes it is there '?s=1 , so we are now 60 percent confirmed that there is XSS vulnerability site.
But as the legends say if you cannot execute a pop-up, you cannot prove that there is XSS to a layman.
So here is the POC:
In request of search add the following simple script to confirm the execution of the external script:
request from burp suit:
Manual script injection:
Enter the below script in the search box :
Press submit and see the pop-up.
Effect:
A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.
related bounty was resolved recently on HackerOne: https://hackerone.com/reports/449351
for the above vulnerability, the severity was moderate as the website was only vulnerable on IE but in this case it is vulnerable in all browsers including chrome, firefox, edge(latest version).
As per today the server was last updated on:
regards,
boris007
regards,
Borris007
I hope you are doing great in this difficult time of pandemic. I just want to bring attention to that website https://nastyfans.org/ and https://analyzer.nastyfans.org/ are leaking security information and are vulnerable to script injection.
As an honest disclosure, I would like to share some requests and responses to the server that proves my point and after that a POC.
Request:
Response:
The response clearly shows that s parameter is reflected here and could be vulnerable to cross site scripting, but wait we are not confirmed yet. Let's move to another part i.e. https://analyzer.nastyfans.org/ , here we have search function which leaks the search code as below:
Code:
<form action='?s=1' method='POST' />
<input type='text' size='35' id='search' name='search' value='1Nasty' /><input type='submit' name='Submit' value='Submit' /><br>
</form>
<input type='text' size='35' id='search' name='search' value='1Nasty' /><input type='submit' name='Submit' value='Submit' /><br>
</form>
Ohh...wait a minute do you see the s parameter here too
, yes it is there '?s=1 , so we are now 60 percent confirmed that there is XSS vulnerability site. But as the legends say if you cannot execute a pop-up, you cannot prove that there is XSS to a layman.
So here is the POC:
In request of search add the following simple script to confirm the execution of the external script:
request from burp suit:
Manual script injection:
Enter the below script in the search box :
Code:
"><script>alert('Boris007 was here')</script>
Press submit and see the pop-up.
Effect:
A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.
related bounty was resolved recently on HackerOne: https://hackerone.com/reports/449351
for the above vulnerability, the severity was moderate as the website was only vulnerable on IE but in this case it is vulnerable in all browsers including chrome, firefox, edge(latest version).
As per today the server was last updated on:
Code:
Logged At ⇧ Not Before Not After
2020-06-06 2020-06-06
2020-06-06 2020-06-06
regards,
boris007
regards,
Borris007