[SmartStoreNET] Malicious Message leading to E-Commerce Takeover
Vulnerability
The initial foot hold was a stored cross-site scripting vulnerabilities in the conversion of the [url]
BBcode tag. This could be used to target an administrative user, adding a new admin account and installing a malicious plugin for code execution.
Cross-Site Scripting in BBcode
StarStoreNET would encode user input to protect against injecting HTML, but they did not properly handle nesting. Specifically with URL tags, where part of the user controlled content is reflected in an attribute (the href
attribute of the <a>
tag). This allows an attacker to nest a url
tag within another which doesn’t get processes properly.
Specifically nesting a complex [url]
tag inside a simple one. A complex tag is one where the href
attribute and the display text are different.
simple: `[url]https://dayzerosec.com[/url]`
complex: `[url=https://dayzoersec.com]dayzerosec[/url]`
By nesting the complex tag within the simple one, the inner url tag will be parsed and replaced with HTML, that will then be places inside the href
attribute of the outer tag. This will include unescaped quotes that break out of the href
attribute and allow injecting other attributes.
In somewhat simplified form:
[url]outer_left[url=injectedAttribute=XYZ]inner[/url]outer_right[/url]
Becomes
[url]outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right[/url]
which becomes
<a href="outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right">"outer_left<a href="injectedAttribute=XYZ">inner</a>outer_right</a>
The start of the inner tag’s href
breaks out of the first tag’s href
.
Exploitation
With attribute injection, often the only route forward is something requiring user interaction, such as injecting into onmouseover
or something. In this case they were able to take advantage of some existing CSS animations, and then set their code in onwebkitanimationend
which on Chrome, Safari, and Opera will execute when the animation ends automatically.
From there, using the XSS to target an admin user and automatically creating a new administrative account. With an admin account under attacker control, a plugin could be installed for code execution.