Reflected XSS in Zomato



Writeup By Sudhanshu Rajbhar
Heyy Everyonee,
In this writeup I am going to tell you how I was able to get xss in Zomato.
I will tell the whole story how I found the vulnerable parameter.
Actually at that time I was reading a book “Mastering Modern Web Penetration Testing” (You can get it on Amazon) and from there I got know about a website named wolframalpha which we can use for subdomain enumeration.
I just thought of giving it a try , so I enetered zomato.com in the search bar and it gave me around 10 subdomains.It also shows “daily visitors” of a particular subdomain, thats a great options if you are looking for a less visited areas.So the last domain from the list caught my attention as the visitors were very less compared to others.

Source:https://www.wolframalpha.com/input/?i=zomato.com

I opened secretx.zomato.com, and all I can see is a button -“sign in with Zomato”.I checked the source code , nothing ineteresting.


I clicked on the button, it redirected me to zomato.com and a box was there saying “SecretX Client wants to access you Zomato Account. Accept or Recject” .
Here I added some junk values to the parameters to check for any oauth misconfiguration.And it gave me some error.


The parameter value was getting refleted in the source code, So i checked whether <,> are getting filtered or not.The result was, Naaah.


I tried for xss but I couldn’t get it ,as there was waf.I spent some time on it but no progress, I started looking for XSS reports,waf bypass blogs then I tried with xss payload list.
Boom yeah with the help of it I got the xss popup.The payload which worked for me was
<marquee loop=1 width=0 onfinish=alert`1`>XSS</marquee>
But I couldn’t access the DOM because alert(),confirm(),prompt() were getting blocked by the waf. Somehow I wanted to make it work, I tried url encoding the payload and other things but nothing worked.It was aound 3 : 40 am so I needed to go to bed coz don’t want to get late for school.
After coming back I started looking for more articles,blogs.Then I got to remember about the xss cheatsheet which was by Somdev , here is the link https://github.com/s0md3v/AwesomeXSS
co\u006efirm()
By encoding the character in unicode I was able to access the DOM.


I submitted this report to Zomato,and the report was triaged and after that I went to sleep the next day when I woke up I checked the notification and I saw the mail “Zomato has rewarded you 250$”.


In the report Prateek Tiwari mentioned that the problem was with Hydra which is an OAuth 2.0 and OpenID Connect Provider which Zomato are using for authentication on their services.
For showing their gratitude,Hydra mentioned my name in their newsletter which was really great for me.


POC Video:


A great thanks for reading the writeup. I hope you have enjoyed it.

Comments

Post a Comment

Popular posts from this blog

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences. One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one:  Bug 1447452 , in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store. The bug: corruption of unicode characters in HTTP request path It
Read more

Object name Exposure — ING Bank Responsible Disclosure Program

Image
Heading: Object name Or Internal Architecture Getting Exposed because Of Deserialisation Error NOTE: Usually i only copy/paste my conversation in medium am not having enough time to write these blog posts properly i am sharing this only for learning purpose not for earning my followers. 😐 👊 Hi, I am Rohit Kumar a Security Researcher and Bug Hunter from India. Vulnerability:  Information Disclosure &   Internal Architecture Disclosure — — — — — — — — — — — — — — — - Reproduction Steps — — — — — — — — — — — — — — — - 1. Login into =>  https://developer.ing.com 2. Now go to your Profile for Updating it 3. Edit your name and save it (At this step intercept your request using burp suite) 4. Now, At this endpoint PATCH  /individuals/791345bc-9444–4edc-9955–1b78e86fddfd/individualNames/EifQPFiEYfMiU- 3FODj3sT736QkPuGe4nigpckH2fEqkaitoTfuLjGG3Lu9UDN84DDCkrGf0y8Lx89HLHcUrFfcb HTTP/1.1 Host:  api.developer.ing.com You will notice a json text in request body
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_name] // For c
Read more