Insecurity as a State Policy — Argentina
First of all let me introduce myself:
I’m Joaquín Serna from Buenos Aires, Argentina. I’ve been studying computers for as long as I can remember, recently graduated from a technical school after studying computer science and currently studying computer science at the Facultad de Cienciad Exactas at the Universidad of Buenos Aires.
About a month ago I was inquiring some information about Argentina’s national government at the official National state website when I was redirected to this login website.
This was an unseen “feature” to me but wasn’t planning on registering cause it asks your identity document and a password (which I try to keep away from the government even though I never use the same one) so instead I tried to login with our President Mauricio Macri’s identity document and see through the devtools what information was sent and received. I was deniedaccess even before it asked for a password and got the following as response.
{
"result": {
"username": "CUIL:20131204699",
"first_name": "Mauricio",
"enable": false,
"is_renaper": false,
"next": "/authorize/?client_id=613410&response_type=code&scope=openid+profile+email+optional&redirect_uri=https://mi.argentina.gob.ar/_oauth/oidc&state=eyJsb2dpblN0eWxlIjoicmVkaXJlY3QiLCJjcmVkZW50aWFsVG9rZW4iOiJBTm9SUEhZNTdqallaa1J1cSIsImlzQ29yZG92YSI6ZmFsc2UsInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9taS5hcmdlbnRpbmEuZ29iLmFyLyJ9",
"full_name": "Mauricio Macri"
},
"error": null
}There’s more information in there that was needed for a simple “access denied”.
Since enable is false, the website does a series of redirections until it returns to the login site again without any type of error or anything else. Next thing I did was try with my own identity document to see what changes from one to another but it didn't response with some data as above, instead it throw me this error on the website with a link to register which uses the URL params to help fill some fields but instead of building this link in the browser, the error with the link was sent as the response to the login.
{
"step": "id",
"error": "El número que ingresaste no está registrado. Por favor intentá de nuevo o <a href='/registro/?next=/&fields={\"id_type\":\"CUIL\",\"id_number\":\"20XXXXXXXX4\"}' style='text-decoration: underline; color: #a94442;'>registrate</a>."
}Next thing I tried was obviously sending some handcrafted HTML code to see what happened and as I was expecting: XSS.
It isn’t a full-power XSS since the server uppercase everything and that makes it difficult to run JS functions and it is length limited.
I reported this 08/06/2018 and came back 08/11/2018 to see if it was fixed since its a simple bug. In summary it wasn’t fixed and I found something else.
To access the login site I first visited argentina.gob.ar and as soon as the web loads I saw this search form and thought were’s one XSS there’s two.
First I made a test request to see if anything was exploitable and indeed it was. After some more testing I arrived at a very decent and compact full XSS exploit using <svg onload=alert(1)><!--
This two vulnerabilities have been reported and are fairly easily to fix but at the moment aren’t yet. I was hoping for the government to take its security more serious. As I have no intention to harm I didn't try doing SQL Injection in certain pages that look like exploitable entry points but I believe fairly that the whole system and maybe even its infrastructure is vulnerable and a National Government should take this more seriously.
UPDATE 09/10: The login’s XSS was fixed, but this doesn’t mean it’s bulletproof yet.
The search input has been added some kind of WAF or regex to prohibit HTML code in the search BUT using percent-encoding we can still exploit it with, for example, this code: %3Csvg %6F%6E%6C%6F%61%64=alert(1) %3E
Update 09/12: Yesterday I received an email from an employee of the national government in which I was asked to share these exploits. My response was this link.
Today I was assured that this vulnerabilities will be fixed and they thank me for the report.
