The Security expert,Ebrahim Hegazy uncovered a Stored XSS Vulnerability in Paypal dated 19th june 2015 which Steal Your Credit Card Information.Now Security experts at BitDefender have discovered Another Stored XSS Vulnerability that could be exploited by hackers and run various attacks on PayPal users.
The Problem found in the paypal process and URL Encryption which pull the uploded files from server.For proof-of-concept Researchers uploded the HTML Formatted xml file using "Create an Invoice" section.After uploading the files researcher identified that “id” parameter for each uploaded file takes the value of a cipher text encoded in base64.It using the cipher block clearing,Ciphering mode.For executing the malicious payload on the paypal server,researchers changed the series of bytes from each cipher block,states the blog post published by BitDefender.
Attack scenario
1. Create an XML file with the HTML content
2. Upload it to the Paypal server via create an invoice;
3. Copy the URL of file
4. Change the second byte from the encryption to produce an error,Researchers analyzed the error to discovered the encryption mechanism of the server.
5. After analysis,researcher found the full path to the Stored XSS;
6. Now researchers uploaded a second file, but with some modification in bytes to bypass a restriction
We can’t use ‘/’ in file name
7. Researchers Divided the second uploded file name into blocks of 16 will look like this:
8. We used blocks ‘aaaaaaaaaaaaaaaa’, ‘bbbbbbbbbbbbbbbb’ and ‘cccccccccccccccc’ to change bytes from the next blocks, turning ‘.’ into ‘/’, making it output the following blocks.
Note:/ff/ba/bb/p01-004-01-001-ffbabbbo-562b-41e7-b1e5-71fd15e0505b shown in above image is the path of stored xss vulnerability found in step 5
The 3 blocks where we changed some bytes won’t look like they were before and instead of ‘aaaaaaaaaaaaaaaa’ we will have something like:
9. In the image above we used a script that act as a proxy and return to us the response from PayPal.
10. Now we just have to copy the link and use it for further attacks. The resulting webpage with our proof-of-concept looked like this:
Let’s remind that “reflected file download,” vulnerability could be used to serve a file to the victims that appear as originated from the affected platform. The attack is dangerous because victims trust the file due to its origin and with trivial social engineering tricks they could be forced to open it, starting in this way the infection process.
The exploitation of the PayPal XSS flaw only worked in Firefox, the researchers confirmed that it has not been reported in the wild, but due to its disclosure PayPal promptly has issued a fix to solve the problem.