Disclaimer: This tool is built to demonstrate XSS vulnerability in Sarahah's web application that was pre-identified. I'm not responsible for any damage done using this tool as it's only built for educational purposes.
Note: Exploit Codes are included again as the Vulnerability is now Fixed.
Hello everyone, this is Shawar Khan and it's been a long time since my last write-up. Today i'm going to release one of my recently coded script that i coded for demonstrating the XSS vulnerability that was identified in Sarahah.
First i'd like to thank "Ronnie" for letting me know about the issue, you can find the article here.
The article demonstrates the XSS vulnerability in Sarahah in a proper way. According to the article, the XSS vulnerability is caused due to insecure reflection of message when new messages are loaded. New messages are not properly filtered which causes the issue. For example a user submitted a simple
Sometimes an 'alert(1)' isn't enough to demonstrate :)
Messages Capture Email Change Account Deletion
How does it works?
Basically, i've coded multiple exploits for each of the action in javascript. This python script actually injects the payload in a target account and then floods the user with around 20 messages so the payload gets into the vulnerable area and executes on scroll.
The tool submits a script tag having eval with atob in order to bypass any protection deployed. The base64 encoded exploit code executes when passed through eval. The site returns an Error if the message contains any '.' character and that is used to deny any message having a link or domain. The protection can be bypassed by encoding the payload into Base64 and passing it into atob with eval. So the template is like:
<script>eval(atob(exploit_code_here))</script>
The site has implemented multiple protection mechanisms that the tool properly bypasses. The scripts loads multiple proxies and submits the exploit code from a different IP address to bypass IP based limitations. This slows down the performance but does the job.
Exploit Codes:
All the XSS exploits i've coded for Sarahah is available on my Github.
Account Deletion Exploit Code
Once the exploit code is loaded into the web application, a new invisible iframe element is created which loads the account deletion page in it. Afterwards, the page is submitted using javascript which deletes the account instantly. Due to lack of Click Jacking protection, we can interact with elements inside the iframe due to which we can delete the account.
Email Change / Account Takeover Exploit Code
Account Message Read and Capture
/Messages/GetReceivedMessagePage?page=
'. If requested with a specific page number, returns messages in JSON object form. The response is captured and is sent to a specified logger which is hosted by an attacker. The logger reads and parses the messages and returns them in valid form.Setting up your system before exploitation:
Modules Required
- requests
- urllib3
- urllib
- urllib2
- ssl
- glob
- cookielib
- bs4 or BeautifulSoup
Before using, make sure you have done the followings:
- CORS should be enabled
- Logger(log.php) should be publicly accessible
- Your IP or domain where files are hosted should have SSL deployed
- Victim should be not be an app user
Exploit in Action!
So, each of the exploit is submitted in a way the web application can deny as the code inside is base64 encoded and will not be removed. The coded is then loaded by creating a new script element having source of exploit code available on github.
![]() |
Victim's Messages captured by Sarahah XSS Exploitation Script |
![]() |
Generating and Injecting Payload to victim's account |
Demonstration:
The following is the video of Sarahah XSS Exploitation Tool's Demonstration:
Want the Script?
I've uploaded the script on my Github so you guys can use it. It's available Here.
Usage:
$ git clone https://github.com/shawarkhanethicalhacker/Sarahah-XSS-Exploit/
$ cd Sarahah-XSS-Exploit
$ python sarahah.py
One last thing, want to protect yourself?
This XSS vulnerability affects the user when the user is using Browser. If the user is using mobile application for android or IOS, he won't be affected as it's properly protected there. So if you want to prevent yourself from getting hacked, use Sarahah's Mobile Application.
0 comments:
Post a Comment