Cross-Site Scripting on a big bank’s Payment Gateway

Kenan
Kenan
Dec 19, 2019 · 5 min read

While I was looking for bugs on a private client in a bug bounty platform, I came across to a payment page on checkout.
I was capturing all the requests and I didn’t pay the amount, so clicked “cancel” on the page.
Then figured out an HTML file called “callback.html” was loaded. There was nothing seen on the screen as you can see here:

Normally you can think there is nothing on the page, but I didn’t just quit whenever I saw the version number. Clicked Ctrl + u to see the source code of the page! -> tip

There were some codes yes, which made me think to keep digging.
After reading the codes, I saw there is a query getting window.location.search.substring and splitting it. For example, errorCode, cancel, gatewayCode, etc..

Then saw the line;

if (currentLocation != null) document.getElementById( ‘loadingCompleteFrame’ ).src = currentLocation + “?creReserved=r”;

in function loadFrame()

There has to be some codes calling this function, saw it at the end of the page,

<body onLoad=”loadFrame(); “>
<iframe id=”loadingCompleteFrame” class=”frameStyle”></iframe>
<p>Version XXX</p>
</body>

When body is loaded, page was calling the function loadFrame(),
What was that function doing?
If there is a cancel parameter with value 1 or 2, it was setting the iframe’s src to currentLocation parameter, which was also reading the rurl parameter in the URL.
So, I put the cancel parameter into the URL as callback.html?cancel=1 and added the rurl parameter as well.
like:

callback.html?cancel=1&rurl=javascript:alert(1)

of course with javascript payload :)
But I thought why just XSS, why not trying SSRF? So, tried to load google or something else, but no success.
Got back to XSS and keep on trying javascript:alert(1) but no success.
added javascript:alert(1); (with a semicolon), still nothing, when I added two slashes, javascript:alert(1);// I saw the XSS triggered,

Mission Completed!


While writing this article, figured out that semicolon is not needed, two slashes are enough to trigger the XSS, also cancel parameter is not necessary, maybe that time, I was excited, so tried all parameters ;)


After some research, I found that this HTML file is a big bank’s payment gateway. (I wanted to disclose the name because they didn’t pay attention as I expected, but to protect their customers, and as my mentor adviced me NOT to do. So, I didn’t) My interest got deeper then. I went to their developer website to make sure they developed this file and served. I signed up as a developer and downloaded the callback.html from their site.
It was there and version was still the same means current HTML file is vulnerable and they put all clients using their payment gateway at risk!
If the private company I was looking for bugs was using this gateway, there must be some others, and I thought I should report this directly to the bank. Looked If they have a responsible disclosure page and found that.

I also figured out that they are working with Synack for responsible disclosure reports, meant they pay Synack but NOT RESEARCHERS. So stupid, but yes. Only VDP.

Timeline:
* 14.09.2019 Issue reported via their Responsible Disclosure Program, got response from synack team member saying “Thanks” on the same day.
* 16.09.2019 Additional info sent that they still serve the vulnerable callback.html via developer portal, got reply saying thanks for the additional info.
* 17.09.2019 Asked for a fix date, how much does it take them to handle this?
* 18.09.2019 Synack team member said this has been determined to be valid and has been sent to the client asking me to keep confidential in the meantime. They will notify me when a fix has been placed.
* 18.09.2019 I asked if there is any bounty because I didn’t understand it was a VDP and expected some reward from such a big bank!
* 18.09.2019 Synack team member answered this is a responsible disclosure program. Monetary compensation is not provided but they provide recognition on their acknowledgements page once a fix has been placed. And when a fix has been placed, they’ll coordinate with me.
* 20.09.2019 Asked to schedule a fix date or it is infinite, scheduled a 90 days disclosure date, started. Synack team member told me they will notify me when the client has placed a fix.
* 19.10.2019 Sent a reminder that two months left for disclosure.
* No reply.
* 08.11.2019 Sent another reminder that one month left for disclosure. Synack team member told me that they’ve told me previously that this is awaiting a client fix and that they will connect with me when that is completed.
* 14.11.2019 reminder for 90 days disclosure date.
* 10.12.2019 reminder that 10 days left for disclosure.
* 11.12.2019 another synack team member told me they understand my urgency to disclose and have notified the client as to the same. While they emphasize the need for clients to fix issues in a timely fashion, they do not place arbitrary timelines on their clients based on researcher demands. This is up to their adjudication processes.
* 12.12.2019 As my friend and mentor @fng told me to try to contact the bank’s team directly to show my aim is not bad, I wanted to protect their customers and users, I tried that on twitter, DM’ed, searched for any email, found an email at hackerone and tried to reach them saying if they monitor that email and asked to get any knowledge about my submission. No reply from all.
Last minute update:
* 16.12.2019 Got a reply from Synack team member saying: We have worked with the client on updates for this particular issue and have received the following:
1) The code was removed on the 12th of Dec until it can be corrected
2) The code is being modified by the vendor
3) The ETA to promote a new version on Developer Center is targeted for January 2020.
* 20.12.2019 Disclosed on time.


What could be done with this XSS? Simply, users could be redirected to a fake credit card page and their credentials should be hacked. (or to a fake login page of the site which is using this bank’s payment gateway) I’m sorry that the bank’s responsible disclosure is not enough for protecting their customers.

I was disclosed the bank’s name here as said, but my friend @fng also adviced me to remove it to reduce the risk for their clients even if they are so slow to take the action. So, I did. Thanks to my friend, appreciated!

Regards.


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Kenan

Written by

Kenan

Top 40 hacker @ hackerone all-time, 2017 “Most Valued Hacker” & Top 7 hacker @ “Hack The World”. Bug bounty hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade