Marktplaats: Content Spoofing - http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php

2015-06-09T16:26:47
ID H1:66914
Type hackerone
Reporter vagg-a-bond
Modified 2015-07-31T06:49:46

Description

Hello,

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

Content spoofing is an attack that is closely related to Cross-site Scripting (XSS). While XSS uses <script> and other techniques to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons. Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text based content spoofing attacks.

Vulnerable Request: > http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php?c=jQuery17207187112115458284_1433863269210&EMAIL=testerrr%40test.com&action=list_subscribe-submit&_=1433866231979

Crafted Request: > http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php?c=Hello!%0A%0AHere%20is%20a%20great%20offer%20for%20you.%20Visit%20http%3A%2F%2Fwww.attackerswebsite.com%2F%20and%20grab%20unbelievable%20offers!%0A%0AHier%20is%20een%20groot%20aanbod%20voor%20u.%20Bezoek%20http%3A%2F%2Fwww.attackerswebsite.com%2F%20en%20pak%20ongelooflijke%20aanbiedingen!%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A%0A&EMAIL=testerrr%40test.com&action=list_subscribe-submit&_=1433866231979

Observe in response of the crafted request, user crafted string will be responded back as plain text and an attacker can use this frame his own sentences tricking the user.

Vulnerable Parameter: c Vulnerable Page: http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php Request Type: GET

Tested On: Latest versions of Chrome and Firefox

References: https://www.owasp.org/index.php/Content_Spoofing http://resources.infosecinstitute.com/content-spoofing/ http://projects.webappsec.org/w/page/13246917/Content%20Spoofing http://capec.mitre.org/data/definitions/148.html http://itlaw.wikia.com/wiki/Content_injection_attack