Sarahah XSS Exploitation Tool - Compromising Sarahah Users.

Disclaimer: This tool is built to demonstrate XSS vulnerability in Sarahah's web application that was pre-identified. I'm not responsible for any damage done using this tool as it's only built for educational purposes.

Note: Exploit Codes are included again as the Vulnerability is now Fixed.

Hello everyone, this is Shawar Khan and it's been a long time since my last write-up. Today i'm going to release one of my recently coded script that i coded for demonstrating the XSS vulnerability that was identified in Sarahah.


First i'd like to thank "Ronnie" for letting me know about the issue, you can find the article here.

The article demonstrates the XSS vulnerability in Sarahah in a proper way. According to the article, the XSS vulnerability is caused due to insecure reflection of message when new messages are loaded. New messages are not properly filtered which causes the issue. For example a user submitted a simple <script>alert(1)</script> , the payload will be executed if the message is loaded on the next page after scrolling down. 




 

 Sometimes an 'alert(1)' isn't enough to demonstrate :)

But wait, 
just an alert(1) isn't enough to demonstrate the issue right? Many hackers and beginners think XSS is limited to alert(1) or just a prompt dialogue. So i decided to change this concept and coded the Exploitation Script:

The script is able to perform the following actions:

• Messages Capture
• Email Change
• Account Deletion

How does it works?

Basically, i've coded multiple exploits for each of the action in javascript. This python script actually injects the payload in a target account and then floods the user with around 20 messages so the payload gets into the vulnerable area and executes on scroll.

The tool submits a script tag having eval with atob in order to bypass any protection deployed. The base64 encoded exploit code executes when passed through eval. The site returns an Error if the message contains any '.' character and that is used to deny any message having a link or domain. The protection can be bypassed by encoding the payload into Base64 and passing it into atob with eval. So the template is like:

<script>eval(atob(exploit_code_here))</script>

The site has implemented multiple protection mechanisms that the tool properly bypasses. The scripts loads multiple proxies and submits the exploit code from a different IP address to bypass IP based limitations. This slows down the performance but does the job.

Exploit Codes:

All the XSS exploits i've coded for Sarahah is available on my Github. 

Account Deletion Exploit Code

Once the exploit code is loaded into the web application, a new invisible iframe element is created which loads the account deletion page in it. Afterwards, the page is submitted using javascript which deletes the account instantly. Due to lack of Click Jacking protection, we can interact with elements inside the iframe due to which we can delete the account.

Email Change / Account Takeover Exploit Code

This is another exploit and it's high in impact it takes over user's account instantly. Once the coded is loaded the exploits loads the settings page in iframe and changes the value of email form field with the once provided by the exploit and submits the page and the email is change. Once the email is changed the user can request a password reset link to the new email and can takeover the account. This code for this is similar to the account deletion code as they works in a same way.

Account Message Read and Capture

This is the best one of these exploits, this exploit goes through all the messages and captures them. Once the code is loaded, the code goes through every page having messages at '/Messages/GetReceivedMessagePage?page='. If requested with a specific page number, returns messages in JSON object form. The response is captured and is sent to a specified logger which is hosted by an attacker. The logger reads and parses the messages and returns them in valid form.

Setting up your system before exploitation:

Modules Required  

• requests
• urllib3
• urllib
• urllib2
• ssl
• glob
• cookielib
• bs4 or BeautifulSoup

Before using, make sure you have done the followings: 

• CORS should be enabled
• Logger(log.php) should be publicly accessible
• Your IP or domain where files are hosted should have SSL deployed
• Victim should be not be an app user

 

Exploit in Action!

So, each of the exploit is submitted in a way the web application can deny as the code inside is base64 encoded and will not be removed. The coded is then loaded by creating a new script element having source of exploit code available on github. 

Victim's Messages captured by Sarahah XSS Exploitation Script

Generating and Injecting Payload to victim's account

Demonstration:

The following is the video of Sarahah XSS Exploitation Tool's Demonstration:

Want the Script?

I've uploaded the script on my Github so you guys can use it. It's available Here.

Usage:

$ git clone https://github.com/shawarkhanethicalhacker/Sarahah-XSS-Exploit/
$ cd Sarahah-XSS-Exploit
$ python sarahah.py

One last thing, want to protect yourself?

This XSS vulnerability affects the user when the user is using Browser. If the user is using mobile application for android or IOS, he won't be affected as it's properly protected there. So if you want to prevent yourself from getting hacked, use Sarahah's Mobile Application.