Múltiplo XSS - Falha de Segurança no Portal das Finanças (http://www.portaldasfinancas.gov.pt/)

on quarta-feira, 1 de janeiro de 2014
Bem e para começar o ano aqui vai mais uma descoberta e desta vez, num site governamental que tem uma utilização constante por parte dos portugueses.

Sobre

Titulo: XSS não persistente no Portal das Finanças (Área de Registo)
Risco: Alto
Data da Descoberta: Dezembro
Código Injectado: "><script>alert(document.cookie)</script><input
Autor: Manuel Sousa (me)


Passos para Reproduzir

1. Abrir http://www.portaldasfinancas.gov.pt/pt/adesaoForm.action, com o Firefox ou Internet Explorer, para ver a alertbox em javascript.
2. Injectar o payload no identificador do formulario, neste caso usei o email (adesaoForm.action?email=/payload/): "><script>alert(document.cookie)</script><input
3. Ver o resultado final =]




Depois de comunicado ao departamento de segurança responsável pelo portal, eis a resposta.





Outras partes do portal vulneráveis:


Disclosure Timeline


Dezembro 25, 2013 ás 01:00 (WET Time): Vulnerabilidade Descoberta
Dezembro 29, 2013 ás 20:39 (WET Time): Bug Reportado
Dezembro 30, 2013 ás 17:43 (WET Time): Resposta por parte do Departamento de Informática
Vulnerabilidade corrigida: Ainda não

XSS Google Groups (groups.google.com) - Vulnerability Reward Program

on sábado, 30 de novembro de 2013
Hi! Just want to share my finding, I have found Reflected XSS Vulnerability in Google Groups. With no user interaction, enjoy ;-)


About

Title: Reflected XSS in Google Groups
Business Risk: High
Discovery Date: October/November
Payload: <href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)

Steps to Reproduce


This bug requires 2 accounts.

1. Login to Google Groups With Account 1
2. Create a group.
3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)
4. Now click on "see"


5. Now you will see a XSS in “sandbox” domain (No problem ;))

Now we have a link to acesss the .swf file (https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/xss.swf?part=4&authuser=0&view=1)

6. Logout Google Services with Account 1º
7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link: https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/XSSbyMS%3Chref=%22url%22%20onmouseover=alert%281%29%3E






Disclosure Timeline

October 24, 2013 at 11:00 PM (WET Time): Vulnerability Discovered
October 25, 2013 at 00:05 AM (WET Time): Initial Report
October 25, 2013 at 00:05 AM (WET Time): Autoresponse from Security bot
October 25, 2013 at 8:22 PM (WET Time): First response from Security Team
November 5, 2013 at 22:46 AM (WET Time): Bounty Rewarded.
November 7, 2013: Vulnerability Fixed
You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (http://www.google.com/about/appsecurity/hall-of-fame/reward/)



Sorry about my English :3