[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-28 13:46:39
Message-ID: 55E0663F.3080103 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
PayPal Bug Bounty #119 - Stored Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1588
Video: http://www.vulnerability-lab.com/get_content.php?id=1587
Vulnerability Magazine: \
http://magazine.vulnerability-db.com/?q=articles/2015/08/28/paypal-inc-bug-bounty-2015-stored-cross-site-vulnerability-disclosed-researcher
Release Date:
=============
2015-08-28
Vulnerability Laboratory ID (VL-ID):
====================================
1588
Common Vulnerability Scoring System:
====================================
4.2
Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the \
Internet. Online money transfers serve as electronic alternatives to paying with traditional paper \
methods, such as checks and money orders. Originally, a PayPal account could be funded with an \
electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or \
early 2011, PayPal began to require a verified bank account after the account holder exceeded a \
predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from \
funding sources according to a specified funding hierarchy. If you set one of the funding sources as \
Primary, it will default to that, within that level of the hierarchy (for example, if your credit card \
ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal \
balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal \
account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill \
Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; \
other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either \
request a check from PayPal, establish their own PayPal deposit account or request a transfer to their \
bank account.
PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other \
commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional \
to the amount received. The fees depend on the currency used, the payment option used, the country of \
the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, \
eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use \
different currencies.
On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in \
San Jose, California, United States at eBay s North First Street satellite office campus. The company \
also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the \
United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, \
PayPal also operates as a Luxembourg-based bank.
On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard \
association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its \
workforce in Asia to 2,000 by the end of the year 2010.
(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Team Researcher discovered an application-side input validation and \
filter bypass vulnerability in the official PayPal Inc online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-20: Vendor Fix/Patch (PayPal Inc - Developer Team)
2015-08-28: Public Disclosure (Vulnerability Laboratory
Discovery Status:
=================
Published
Affected Product(s):
====================
PayPal Inc
Product: PayPal - Online Service Web Application 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the official PayPal Inc online \
service web-application. The vulnerability allows remote attackers to comrpomise user accounts or \
transactions by persistent malicious inject of script codes.
Paypal SecurePayments domain is used by paypal users to do secure payments when purchasing from any \
shopping site, this secure payments page require Paypal users to fill some forms that include their \
Credit Card number, CVV2, Expiry date and more to finalize the payment and purchase the products via \
their Paypal account,
The submitted data is processed through encrypted channel(HTTPS) so attackers wont be able to sniff/steal \
such data.
I've found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to \
alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user \
to fullfill and send the users data back to attacker's server in clear text format, and then use this \
information to purchase anything in behave of users or even transfere the users fund to his own account!
Request Method(s):
[+] POST
Vulnerable Page:
[+] https://securepayments.paypal.com/cgi-bin/acquiringweb
Vulnerable Parameter(s):
[+] template
Proof of Concept (PoC):
=======================
The application-side cross site scripting vulnerability can be exploited by remote attackers withour \
privilege application user account and with low user interaction (click). For security demonstration or \
to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1- Attacker setup shopping site or Hack into any shopping site, alter the "CheckOut" button with the \
Paypal Vulnerability, 2- Paypal user browse the malformed shopping site, choose some products, click on \
"CheckOut" button to Pay with his Paypal account, 3- User get's redirected to \
https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the \
purchasing order, In the same page, the products price that will be paid is included inside the same \
page, and as we know the attacker now control this page! 4- Now when you (Paypal user) click on Submit \
Payment button, instead of paying let's say "100$" YOU WILL PAY TO THE ATTACKER WHATEVER AMOUNT THE \
ATTACKER'S DECIDE!!
Solution - Fix & Patch:
=======================
2015-08-20: Vendor Fix/Patch (PayPal Inc - Developer Team)
Security Risk:
==============
The security risk of the stored cross site scripting vulnerability in the paypal web-application is \
estimated as medium. (CVSS 4.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [ebrahim@evolution-sec.com] \
(www.vulnerability-lab.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab \
disclaims all warranties, either expressed or implied, including the warranties of merchantability and \
capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of \
damage, including direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for consequential or \
incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to \
break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen \
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from \
Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is \
granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research \
Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this \
website is trademark of vulnerability-lab team & the specific authors or managers. To record, list \
(feed), modify, use or edit our material contact (admin@vulnerability-lab.com or \
research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic