If you’re teaching reflected cross-site scripting to a newbie, what could be a classic example?
A search page taking search keyword as input and reflecting it back on the result page, along with the search results.
I logged into ICICI Bank website after ages and noticed a new search page on my dashboard. Out of curiosity, I entered some special characters in the search field. I just wanted to check if they were encoding the input properly. So I right clicked to view the HTML source but an alert popped up stating that ‘Due to security reason, right click is not allowed’. It is generally very trivial to bypass such client side restrictions and in 2019, I don’t think any site needs to do that as a security control. I didn’t do anything cool but just added ‘view-source:’ before the URL and was able to see the generated HTML source.
After looking at the HTML source, I worked on the XSS payload and below payload successfully popped up an alert, confirming the XSS.
07/31/2016 – Reported this issue to their anti-phishing email and whatever other emails I was able to find. Also attached the screenshot and steps to reproduce the issue. 08/02/2016 – Received a generic reply from their customer care asking for my account details and phone number to help me further. 08/02/2016 – Requested them to forward the email to their IT Security team or to any responsible person in the IT department. 08/26/2016 – Asked for an acknowledgement or an update. Received a generic email from someone in customer care department. 03/05/2017 – Requested for an update. 01/18/2018 – After some good time, when I logged in to the ICICI site, I noticed that XSS was fixed. Emailed them again to confirm if it was fixed. 01/25/2018 – Received again a generic email from the customer care department asking for my account details and phone number to help me further. 09/21/2019 – As I never received an official response, my understanding is that this issue has been resolved. I’m writing this blog post for the general security awareness of my blog readers.
Summary: SheetJS package in npm ecosystem does not have any defense against Formula Injection.
Details: Sheetjs package xlsx in npm ecosystem, allows parsing and editing various spreadsheet formats. As it is JS driven, it gives ability to render tables in the browser and allows modification of the tables on the fly. It also allows exporting this data in various spreadsheet formats e.g. xlsx, xlsb, csv etc.
Formula Injection happens, when an application uses untrusted user input inside a spreadsheet format file and when this file is opened with a spreadsheet program such as Microsoft Excel.
This vulnerability exists because of the way Spreadsheet softwares handle formula characters (such as =, @, +, -). However, depending on the use-cases, applications can perform additional checks such data validation or escaping of formula characters by passing a single quote (‘) before the formula character, as described here.
Edit any cell in the table and update with the below value =cmd|’ /C calc’!A1
Export it into any spreadsheet format such as csv, xlsx, xlsb etc and open this file with Microsoft Excel
Excel’s latest versions show a warning. Click ok.
When this Formula executes, it will pop a calculator up on your Windows machine.
This can further be extended in exfiltrating data OOB as described here.
3/12/2019 – Reported to npm security team via a bug bounty platform, as well as sent an email directly to securityATnpm.com. 3/30/2019 – On the bounty platform, Package maintainer responded that this was excel’s behavior and not a vulnerability in the package itself. They also shared that this was reported to them via Github in January. 3/30/2019 – Report was closed on the bug bounty platform. 4/18/2019 – On the email side, one Security engineer from npm team acknowledged receiving the report and said he would be circling back. 6/27/2019 – Security Engineer from npm team reached out and shared that there was an outage hence there was no response from them. He asked for more details, which I provided. 7/02/2019 – Security Engineer from npm team said that he was able to reproduce the issue and also drafted an advisory. He said that advisory would be released once the patch is applied. 7/03/2019 – Security Engineer from npm team wrote back that the package maintainer said that this was an intended functionality and meant to behave like excel does. He also referenced that the npm working group had dismissed this vulnerability report through the bug bounty platform. 7/03/2019 – I requested for a public disclosure which was approved. 7/19/2019 – I shared a draft write-up with the npm team. 7/22/2019 – Publishing this blog post.
I’m writing this post for the awareness of SheetJS users and consumers. If you are using this package, your users may not be protected against formula injection, by default. If you’re using it in your development projects, you may have to implement your own work-around, given on your use-case. Also, as a user, don’t ignore the excel warnings and review the untrusted formula before letting it execute.
In my free time, I was looking at some Android applications and noticed that I was able to intercept SSL traffic for Webex Meetings app. When explored it further, I found that Webex Meetings mobile app accepts self-signed certificates. Also there is no certificate pinning enabled.
This makes Webex meet app vulnerable to Man in the middle attack.
Users of this app, if connected to a public Wi-Fi spot, can be targeted by any person on the same network. If connected to a rogue Wi-Fi hotspot, Wi-Fi provider may have access to the data passed from the app to the server. Malwares on the device can also exploit this vulnerability to intercept any sensitive data while it is traveling across the wire.
In simpler terms, if you love connecting to free Wi-Fi hotspots for your Webex meetings, in your gym or coffeeshops, then your meetings may not be not secret anymore.
I tested Webex Meetings Android app, version 10.6.0.21060208 Samsung S8 (on Android version 8.0). As per vendor’s response, it seems all Webex mobile clients have similar behavior.
Vendor Response :
Hi Pankaj, after discussing with our development team, I’ve learned that the Webex mobile client accepts self-signed certificates because the Webex meetings component also allows for deployments using self-signed certificates. Similarly, because the Webex mobile client has to be used with so many different sites, certificate pinning is also not enabled.
Page 219 of administrator guide instructs how to import self-signed certificate on mobile device to join meetings. There are also instructions for iOS there as well.
Page 256 of administrator guide instructs certificate management on the meetings server itself, including self-signed certificates.
The guide also mentions that the client warns on accepting the self-signed certificate, and users should make sure the application is genuine before accepting Connect.
These choices are consciously made by the business and documented for customers. As such, we do not consider them vulnerabilities. Although, you are correct, these configurations leave open the possibility of some attacks intended to defeat some SSL protections from attackers with privileged network positions. However, OCSP stapling is enabled as a hardening measure to verify SSL certificates.
Due to requirements of supporting applications using self-signed certificates, the Webex business unit will not make any changes to address your findings. You are of course free to make public your findings. If you do so, please include references to the above documentation.
Thank you again for your reports.
03/10/2018 – Issue reported to Cisco PSIRT 03/10/2018 – Report acknowledged by the incident manager and I was asked for more information 03/10/2018 – Shared the required details. Shared some screenshots from Packet Capture app. 03/27/2018 – I was asked if I could gather more information. 04/10/2018 – I shared some information again. 10/05/2018 – Reached out to the case manager and PSIRT DL for an update. 10/17/2018 – Reached out to PSIRT DL again for an update. 03/13/2019 – Reached out to PSIRT DL again for an update and asking permission for a public disclosure. 03/15/2019 – Got a response that previous case managed had moved on to a different position and also dev team was not able to confirm my report and because of that, there were no fixes. 03/20/2019 – Got the response confirming that Webex mobile clients accept self-signed cert and it is an intended behavior.
04/30/2019 – Requested for a public disclosure as even though Webex suggested they have it in the ‘admin’ documentation, I didn’t think Webex users were aware about the inherent risks. 06/20/2019 – Shared a draft write up with the PSIRT team 06/24/2019 – Released the advisory for the public.
No CVE or bounty was awarded as vendor does not consider it a security issue. Vendor credited me for reporting this bug in their public bug release notes.
While testing an app, a text field was not accepting more than 20 characters (server side validation). I inserted following piece of code to check XSS (From RSnake’s XSS cheat sheet):
and verified the HTML source for the encoded characters . As < was in the HTML source, the input field was seem to be missing output encoding and hence was vulnerable to cross site scripting.
Now, I just needed a popup to conclude this theory. I started looking for a smaller script. I tried to create/find some payloads which were less than 20 characters but I was unable to find anything. At that point of time, a random question came to my mind that, what is the smallest possible payload to pop up an alert. I know it was not needed to prove the XSS or missing output encoding but just a random question. Here are some possible payloads compiled from my own answer and a few others:
Update (7th March, 2019)- This is very old post and may be obsolete now. I guess as someone replied to that question in 2017, following may be the smallest payload to pop up an alert now. I need to check.
How many times you have seen some strange characters in an email or on any web site. How many times, as a developer you have seen that your code/content is getting converted to ‘?’ and users complained.
Previously, internet was limited to english (ASCII) but as soon as it started getting used globally, ASCII was not enough to help…..
Remember the days, when MS Office was a must thing for any office job. I salute to Microsoft for this whole Office idea and the product suite. It definitely was one of the coolest tools of that era.
Office (but not Microsoft Office, yet) has shifted online now. Kudos to some great work by Google Docs, Zoho, Thinkfree, now you can create your Document, Spread Sheet and Presentation online and can share them with your friends. You along with your friends can simultaneously work on a document or a presentation. This is termed as ‘collaboration’.
This whole Online Office concept is actually SAAS (Software As A Service) because these SAAS vendors will let you use their software as a service with pay as you use model. You use them without even installing them on your machine so there is no prerequisite for your processor or disk space to run these softwares which actually is a service.
I use Google Docs and Zoho. Both tools are ultimate and easy to use.
I always hate to fill a section which is popularly known as ‘About Me’. I didn’t understand how am I supposed to type those 1024 or some random number characters, every time I sign up to a new site. When they can come up with ‘Open Id’ thing, WHY NOT no one thought about ‘About Me’ section…. After all this section is the next important thing after your user id and password., if you’re signing up for a new website.
As if, Google was listening, they thought about it and they now allow a user to create a public profile which can be shared with all Google services. Presently, it supports Google Maps and Google Reader but hopefully, in future, they integrate ‘Google profile’ with all their services.
I have already created a Google Profile and love to use it wherever I can. At least, now I can copy my ‘About Me’ information from one single page and can paste it where ever it is required.