See how I found Yahoo Mail APP stored XSS vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201891633
Type myhack58
Reporter 佚名
Modified 2018-09-28T00:00:00


! Today I want to share is to participate in Yahoo(Yahoo!) Vulnerability all test items to find the one on Yahoo Mail iOS app vulnerability, and ultimately, by virtue of the vulnerability, I go into the Yahoo security Hall of Fame and get a$3500 dollar reward. Vulnerability case My test object is a Yahoo! Mail iOS APP, which is the Yahoo Mail iOS version in the APP xml file in the presence of a storage typeXSSvulnerabilities. The attacker can use the XML attribute construct any HTML/Javascript code embedded in the message, in this APP the user opens the message, you can achieve this any code rendering rendering, the extreme point, the use of the XML entity expansion attack, can form a DoS attack, causing the APP service crashes. XML entity expansion attacks: XML Entity Expansion is achieved, by in XML the DOCTYPE create a custom entity defined to achieve, for example, this can be defined in memory generates a Than the XML of the original permit size is large a lot of the XML structure, use it to make such attacks to Deplete network server the normal effective operation of the necessary memory resources. Vulnerability analysis Vulnerability is the beginning of the message In any of the Yahoo mail login page or client sign into your Yahoo mailbox, and then upload the following styles in an xml file as a mail attachment, after that, put this letter with the following yahoo-xss. xml attachments, sending to your own Yahoo Mail or other Yahoo test mailbox. svg xmlns=””> script>prompt(document. location)script> svg> With the Yahoo Mail iOS client, Yahoo! Mail iOS APP, enter your recipient testing Yahoo Mail, view yahoo-xss. xml attachment, open it, and see whether there isXSSreaction. The result is, of course, will scare you jump. As follows: ! Note: I also don't know what reason, Yahoo Mail iOS app in the XML rendering mechanism is very weird danger. If you receive more than yahoo-xss. xml attachments the more attachments, then even if you open other attachments, this yahoo-xss. xml to trigger the storage typeXSSwill be parsed out of the. I rush reported this vulnerability, the following is the Yahoo security team personnel at HackerOne on to my response: ! Up to this step, and the next thing I have to do is think of a way to maximize the use of this vulnerability, see the Yahoo Mail iOS app form compared to what a bad security threat and impact. But helpless I once also no clue, had to first put a put. Vulnerability the subsequent packet Then one day, I suddenly thought of a way to improve the exploit and safe and sound method, that is I can use HTTP request, like“GET”in the same way, try to local APP client resources. BingGo is! I try, really become! Can I use this method to get to the Yahoo Mail iOS app's entire cache data, including user cookie, contacts list, mail content and so on. Exploit to reproduce First of all, in any of the Yahoo Mail page or the client login your Yahoo mail account, upload one of the following contain the following code in the XML file, and then, put it as an attachment to send to you another test Yahoo Mail in the victims mailbox. ! At your Yahoo test mailbox to open the received XML attachment, based on the above I mentioned that“weird”XML parsing reasons, here can imagine a situation: when the attacker sends you a PPT document, but in the Annex is also attached above that can be triggered byXSSof the XML file, then, when you open a received PPT document, this XML file will also triggerXSSreaction. That is, regardless of how much you have an attachments, including video attachments, as long as the above comprising the XML attachments, you open any other attachments, will be strange to trigger XML fileXSSvulnerabilities. The use of the vulnerability, 构造key.xml I can get the victim's mailbox, including the sender, recipient and contact, including contacts information. In the XML attachment code, XSSvulnerabilities will first display the client's browser version information, and then locate the file location, and then after that is to obtain mailing list information here to see network speed, estimated to require about 30 seconds of time. After that click the key. xml OK, mail list information through the GET way back to the attacker, as the following figure like this. I is the internal LAN to do the test, my Server receiving end with the nc-lvvv 8090 open the 8090 port is listening: !

[1] [2] next