About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Finding DOM Polyglot XSS in PayPal the Easy Way- 543

Gareth Heyes - PortSwiggerPosted 4 Years Ago
  • Paypal is a site that everyone has heard of; as a result, finding XSS on the site is a huge deal.
  • To find the XSS, they used the new in-house tool DOM Invader. Burp's Embedded browser goes to the site and injects a canary to see which sources and sinks are used on the page. Once it finds a few links, XSS-like characters are injected in order to see if they are allowed.
  • After using this semi-automated technique on that page, they found a few interesting sink points that allowed for bad characters. By using the tool, the reflection was easy to see, instead of being hidden in the DOM. The vulnerability was in the ID parameter of a span not escaping the quote.
  • The input had to be a valid CSS selector. After coming up with a crazy payload, the exploit worked! Well, kind of and PayPal did not agree; the CSP was restricting the XSS, sadly.
  • PayPal should assess this as XSS at face value; a CSP bypass should not be required to demonstrate impact. PortSwigger went about finding a bypass to the CSP. Obviously, the first thing to look at is the CSP.
  • At first glance, the CSP allows certain domains, such as *.paypalobjects.com and *.paypal.com. Additionally, it allows for the 'unsafe-eval' directive which would allow the use of eval, the Function constructor and other JavaScript execution sinks.
  • First, they plowed through the potential attack surface, seeing what was loaded and such. With no progress on known gadgets they tackled PayPal specific gadgets. Eventually, they found a gadget that was an obvious DOM XSS inside of it on trusted page. By loading jQuery and the previous page mentioned, the second exploited vulnerability was able to bypass the CSP by calling jQuery functions.
  • The author claims that "...jQuery is CSP's nemesis. It converts scripts, and will happily execute them with policies, using the 'unsafe-eval' directive". It turned out that because the original value being injected was in a jQuery selector, the separate XSS bypass is not needed. JQuery really is the enemy of the CSP!
  • I had two main takeaways: DOM Invader is an awesome tool that I should learn how to use. Secondly, do not rely on a CSP to protect the site, as it can likely be bypassed.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed