[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-28 13:47:08
Message-ID: 55E0665C.7070906 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1588
Video: http://www.vulnerability-lab.com/get_content.php?id=1587
Vulnerability Magazine: \
http://magazine.vulnerability-db.com/?q=articles/2015/08/28/paypal-inc-bug-bounty-2015-stored-cross-site-vulnerability-disclosed-researcher
Release Date:
=============
2015-08-28
Vulnerability Laboratory ID (VL-ID):
====================================
1588
Common Vulnerability Scoring System:
====================================
4.2
Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be \
made through the Internet. Online money transfers serve as electronic alternatives \
to paying with traditional paper methods, such as checks and money orders. \
Originally, a PayPal account could be funded with an electronic debit from a bank \
account or by a credit card at the payer s choice. But some time in 2010 or early \
2011, PayPal began to require a verified bank account after the account holder \
exceeded a predetermined spending limit. After that point, PayPal will attempt to \
take funds for a purchase from funding sources according to a specified funding \
hierarchy. If you set one of the funding sources as Primary, it will default to that, \
within that level of the hierarchy (for example, if your credit card ending in 4567 \
is set as the Primary over 1234, it will still attempt to pay money out of your \
PayPal balance, before it attempts to charge your credit card). The funding hierarchy \
is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal \
SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary \
funding source) (It can bypass the Balance); a verified bank account; other funding \
sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can \
either request a check from PayPal, establish their own PayPal deposit account or \
request a transfer to their bank account.
PayPal is an acquirer, performing payment processing for online vendors, auction \
sites, and other commercial users, for which it charges a fee. It may also charge a \
fee for receiving money, proportional to the amount received. The fees depend on the \
currency used, the payment option used, the country of the sender, the country of \
the recipient, the amount sent and the recipient s account type. In addition, eBay \
purchases made by credit card through PayPal may incur extra fees if the buyer and \
seller use different currencies.
On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate \
headquarters are in San Jose, California, United States at eBay s North First Street \
satellite office campus. The company also has significant operations in Omaha, \
Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, \
Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, \
PayPal also operates as a Luxembourg-based bank.
On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China \
s bankcard association, to allow Chinese consumers to use PayPal to shop \
online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the \
year 2010.
(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Team Researcher discovered an application-side \
input validation and filter bypass vulnerability in the official PayPal Inc online \
service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-20: Vendor Fix/Patch (PayPal Inc - Developer Team)
2015-08-28: Public Disclosure (Vulnerability Laboratory
Discovery Status:
=================
Published
Affected Product(s):
====================
PayPal Inc
Product: PayPal - Online Service Web Application 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the official \
PayPal Inc online service web-application. The vulnerability allows remote attackers \
to comrpomise user accounts or transactions by persistent malicious inject of script \
codes.
Paypal SecurePayments domain is used by paypal users to do secure payments when \
purchasing from any shopping site, this secure payments page require Paypal users to \
fill some forms that include their Credit Card number, CVV2, Expiry date and more to \
finalize the payment and purchase the products via their Paypal account,
The submitted data is processed through encrypted channel(HTTPS) so attackers wont be \
able to sniff/steal such data.
I've found a Stored XSS vulnerability that affects the SecurePayment page directly \
which allowed me to alter the page HTML and rewrite the page content, An attacker \
can provide his own HTML forms to the user to fullfill and send the users data back \
to attacker's server in clear text format, and then use this information to purchase \
anything in behave of users or even transfere the users fund to his own account!
Request Method(s):
[+] POST
Vulnerable Page:
[+] https://securepayments.paypal.com/cgi-bin/acquiringweb
Vulnerable Parameter(s):
[+] template
Proof of Concept (PoC):
=======================
The application-side cross site scripting vulnerability can be exploited by remote \
attackers withour privilege application user account and with low user interaction \
(click). For security demonstration or to reproduce the vulnerability follow the \
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1- Attacker setup shopping site or Hack into any shopping site, alter the "CheckOut" \
button with the Paypal Vulnerability, 2- Paypal user browse the malformed shopping \
site, choose some products, click on "CheckOut" button to Pay with his Paypal \
account, 3- User get's redirected to https://Securepayments.Paypal.com/ to fill the \
required Credit Card information to complete the purchasing order, In the same page, \
the products price that will be paid is included inside the same page, and as we know \
the attacker now control this page! 4- Now when you (Paypal user) click on Submit \
Payment button, instead of paying let's say "100$" YOU WILL PAY TO THE ATTACKER \
WHATEVER AMOUNT THE ATTACKER'S DECIDE!!
Solution - Fix & Patch:
=======================
2015-08-20: Vendor Fix/Patch (PayPal Inc - Developer Team)
Security Risk:
==============
The security risk of the stored cross site scripting vulnerability in the paypal \
web-application is estimated as medium. (CVSS 4.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [ebrahim@evolution-sec.com] \
(www.vulnerability-lab.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php \
- evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic