[SmartStoreNET] Malicious Message leading to E-Commerce Takeover

We discussed this vulnerability during Episode 97 on 08 November 2021

Vulnerability The initial foot hold was a stored cross-site scripting vulnerabilities in the conversion of the [url] BBcode tag. This could be used to target an administrative user, adding a new admin account and installing a malicious plugin for code execution.

Cross-Site Scripting in BBcode StarStoreNET would encode user input to protect against injecting HTML, but they did not properly handle nesting. Specifically with URL tags, where part of the user controlled content is reflected in an attribute (the href attribute of the <a> tag). This allows an attacker to nest a urltag within another which doesn’t get processes properly.

Specifically nesting a complex [url] tag inside a simple one. A complex tag is one where the hrefattribute and the display text are different.

simple:  `[url]https://dayzerosec.com[/url]`
complex: `[url=https://dayzoersec.com]dayzerosec[/url]`

By nesting the complex tag within the simple one, the inner url tag will be parsed and replaced with HTML, that will then be places inside the href attribute of the outer tag. This will include unescaped quotes that break out of the href attribute and allow injecting other attributes.

In somewhat simplified form:

[url]outer_left[url=injectedAttribute=XYZ]inner[/url]outer_right[/url]
Becomes
[url]outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right[/url]
which becomes
<a href="outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right">"outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right</a>

The start of the inner tag’s href breaks out of the first tag’s href.

Exploitation With attribute injection, often the only route forward is something requiring user interaction, such as injecting into onmouseover or something. In this case they were able to take advantage of some existing CSS animations, and then set their code in onwebkitanimationend which on Chrome, Safari, and Opera will execute when the animation ends automatically.

From there, using the XSS to target an admin user and automatically creating a new administrative account. With an admin account under attacker control, a plugin could be installed for code execution.