United to XSS United

Hello there,

In this blog post, I will explain how I was able to bypass some client-side based XSS so called “protection”.

While I was looking for cheap flights, I recalled that United offer a bug bounty program that rewards free mileage to researchers who report security vulnerabilities.

As I started looking testing their websites, I found a couple of bugs and reported them, then I came accross the subdomain http://checkin.united.com.

Visiting the above link redirected me to another page on the same subdomain, with a GET parameter called “SID”. I started testing that parameter and noticed that it’s value gets reflected in the document 60+ times, none of which is well sanitized against special characters, allowing me to break out of the tags it reflects in in 100% of the times it does.

I simply entered “> to get the alert box I’m looking for, but weird enough, no alert boxes were there at all, I then inspected the source of the page and found that my injection actually lands untouched exactly the same 60+ times, yet the JS payload doesn’t execute.

Some of the payload reflections in the document

I started digging more into the script tags and what codes do they contain, until I reached the source of my misery, a JS file that is included into the page and contains the following code:

JS code that caused the trouble

Basically, the code overrides the native alert(), confirm(), prompt(), unescape(), and document.write() functions and nullifies them, so calling them does absolutely nothing. This was implemented as an “XSS protection”.

So after some research, I managed to restore document.write() to it’s default state by calling document.write = HTMLDocument.prototype.write;document.write(‘STRUKT’);, but again, what good does that do with all the main functions I want to access sabotaged.

Using document.write() to print into the document

 

I started playing around with the help of my friend and teacher @brutelogic, he provided me with this link, which talks about the JS defense in place. The article also mentioned that we could get the overridden functions back to their defaults by using the word delete. We tried the keyword and it happened to be blacklisted as well, then I had an idea. What if I inject empty iframe tags (without the src attribute) and then set the main window’s alert() function to any of these iframes’ native alert functions, it will then be reset to the default alert() function any document has.

I tried the new idea and it actually worked, bypassing all the “XSS protections” in place and circumventing the overrides implemented by the developers.

The beloved alert box finally popping up

Then my friend @brutelogic managed to optimize the payload to a much shorter one, with the ability to work in Chrome and bypass Auditor (Because there’s also an unsanitized reflection in a tag context).

Brute’s payload working in Firefox
Brute’s payload bypassing Chrome’s XSS Auditor

Then I’ve decided to go further and check if United’s main website contains any flaws. After spending less than 10 minutes of investigation, I found out that the exact same vulnerable path found on http://checkin.united.com exists on United’s main website, with absolutely the same imported libraries and the 60+ vulnerable reflections, killing two birds with one stone.

XSSing United’s main website with the same payload

Finally, I would like to thank my teacher and friend @brutelogic for his continuous support and generosity in providing me with brilliant and unexpected information.

See you in another post 😉 

Advertisements

3 thoughts on “United to XSS United”

  1. I am Doris used every single spell worker on the internet, spent untold amounts of money and discovered they are all fakes…i was the fool though; doing the same thing over and over again and expecting different results. In the end, I decided that I wanted a tarot reading to know what my future held for me; I contacted a woman who lives locally to me and she told me about a man named (Priests Abija); he does not advertise on the internet, has another job for income, has no set prices, makes no false promises and refuses to help anyone that cannot be helped and even helps for free sometimes, he will give you proof before taking money. He is a wonderful man and he was the only person who actually gave me real results. I really hope he doesn't mind me advertising his contact on the internet but I'm sure any help/ extra work will benefit him.contact him here as (518) 303-6207 or dr.abalaka@outlook.com He travel sometimes.i cant give out his number cos he told me he don’t want to be disturbed by many people across the world..he said his email is okay and he’ will replied to any emails asap,love marriage,finance, job promotion ,lottery Voodoo,poker voodoo,golf Voodoo,Law & Court case Spells,money voodoo,weigh loss voodoo,any sicknesses voodoo,Trouble in marriage,HIV AIDS,it's all he does Hope this helps everyone that is in a desperate situation as I once was; I know how it feels to hold onto something and never have a chance to move on because of the false promises and then to feel trapped in wanting something
    more.

    Like

  2. In the event that you are chasing for a dependable and reasonable administration, then finding among the parts won't be an extreme employment with the Security administrations London. The faculty of the firm are prepared well as indicated by the SIA gauges and are client benevolent. this contact form

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s