LinkedIn DOM XSS Analysis Report
•
1 like•9,403 views
Fixed DomXss Vulnerability in Linkedin.com
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to LinkedIn DOM XSS Analysis Report
Similar to LinkedIn DOM XSS Analysis Report (20)
Recently uploaded
Recently uploaded (20)
LinkedIn DOM XSS Analysis Report
- 1. Project: DOM XSS Analysis Edition: 1.6 Last Edit: 05/08/2014 Cassification: Not restricted DOMinatorPro Enterprise Analysis Report Website: Linkedin.com
- 2. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 1/8 Summary 1 INTRODUCTION..........................................................................................2 Disclosure Timeline..............................................................................................2 2 KEY FINDINGS............................................................................................3 HTML Injection and Reflected DOM based XSS.....................................................3 2.1.1 Description.............................................................................................................3 2.1.2 Exploitation Notes .................................................................................................3 2.1.3 DOMinatorPro Enterprise Automated Tainted Analysis .......................................3 2.1.4 Manual Analysis.....................................................................................................6
- 3. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 2/8 1 Introduction Minded Security performed an authenticated scan using DOMinatorPro Enterprise security scanner for searching Javascript security issues across Linkedin.com website. Herein are reported the High Risk vulnerabilities related to Linkedin.com location. Minded Security identified the following security issues: 1) Reflected DOM based Cross Site Scripting: an attacker could be able to inject arbitrary HTML in the browser DOM and executing arbitrary Javascript in the context of Linkedin.com. Disclosure Timeline 08th June 2014 – Vulnerability Found 09th June 2014 – Linkedin.com security team contacted 10th June 2014 – Report with vulnerability details shared 11th June 2014 – Vulnerability confirmed 28th July 2014 – Fix notification received from Linkedin.com. Update: The fix was actually faster than the fix notification. The fix was made in less than ten days. 30th July 2014 – Publication date approved 4th August 2014 – Publication
- 4. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 3/8 2 KEY FINDINGS HTML Injection and Reflected DOM based XSS 2.1.1 Description This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context. There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is a high risk of XSS, specifically an HTML injection one. Malicious HTML code could be injected for example via innerHTML which is used to render user inserted HTML code. If strings are not correctly sanitized the problem could lead to XSS based HTML injection. Another method could be document.write() 2.1.2 Exploitation Notes When trying to exploit this kind of issues, consider that some character is treated differently by different browsers. For reference see DOM XSS Wiki https://code.google.com/p/domxsswiki/wiki/Introduction 2.1.3 DOMinatorPro Enterprise Automated Tainted Analysis Vulnerable domain www.linkedin.com Affected URL https://www.linkedin.com/vsearch/j?locationType=Y&f_F=adm&f_E=2,1
- 5. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 4/8 Affected Javascript: https://static.licdn.com/scds/concat/common/js?h=5gtttrez0fhqk1rr rdqybs6gw-9vzmgtova4p6wyq7dbsmnt1j6-36auq8v5gzcgbgpv5n75nqcpk- 2a35w1u9dwchgvetamdi0zt3m-6a6p8n9gugzd0ryn13oa78kxj- 62puerwhsridwm57u01qsxtgg-bzhffmu8ocvnlrzhplrxgenzp- 56juw5ojwfpz2vfzqy5qdqiz1-e8vdu3l6plnevcvpl03eev99t- d0ck18rz80ts0mwjk68f85n3q-arhs3x17rekxltvfsmdiddwp- 4qsv2carv9f6azb28pmyhtnv8-f1y5knzjtcxmj9x8cl51rtufk- 6rnrnyvqx3fvi8aj3mn3uv7z8-ey4d2siu9jgxr6p7xukvraecz- 1o07mzpiga70g74el55h7xky0-cubycx5zvm3dwhe0o51ze29pk- 14uchb6cxkxwro184wj55lgrl-3m0wwwerqvp8618uhx52in5b- c58fihowoh2nty084ompqbnhm-2ypl17s5c3i6apu2k82ewhfxt- 8x5be63fehllbdraunzu3eq6z-bi130qzxq4ykvlfxrdyrjrhja- c7v11p9r4wbi4fv9wbm6xiih6-b1qfz41z3b3boi2i3gjuzglmx- 3z3pvetds3fbixw0n28vfts1b-2bu8xuljmvyk198nas6fgwc25- 7w625ciy82qn8enruyvyr4es-2b6ka2xa7ha23666ep05spxau- f3ibwuwgxet161wu5iic3rqmr Stack Trace domify()js?h=b...1cc01dk (line 11508) b = "<fieldset class="facets...alue="2,1"/></fieldset>" updateStickyFacets()js?h=5...ic3rqmr (line 2028) modifyGlobalSearchAction()js?h=5...ic3rqmr (line 2035) Vulnerable Function Beautified If the condition is met, from the QueryString (location.Search) all parameters that starts with “f_” are read and concatenated in a <input> list of a <fieldset> HTML tag. LI.SearchFacets.Mediator.prototype.updateStickyFacets = function() { var b = YDom.get("global-search"), g = "", d, e, f, c, a; if (b && (!this.hasGlobalSearchDropdownChanged && (this.lixStickyFacets === "all" || (this.lixStickyFacets === "jobs" && this.getVerticalType() === "jobs")))) { this.removeHiddenInputs(b); d =
- 6. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 5/8 this.getQueryString().match(LI.SearchFacets.regex.facetsFromQuery String) || []; e = ['<fieldset class="facets">']; for (c = 0, a = d.length; c < a; c++) { f = d[c].split("="); e.push('<input type="hidden" name="' + f[0] + '" value="' + decodeURIComponent(f[1]) + '"/>') } e.push("</fieldset>"); b.appendChild(LI.domify(e.join(""))) } }; String Taint History location.search ?locationType=Y&f_F=adm&f_E=2,1&keywords=&countryCode=it&orig=JSH P&distance=50&locationType=I REPLACE ?,locationType=Y&f_F=adm&f_E=2,1&keywords=&countryCode=it&orig=JS HP&distance=50&locationType=I JOIN locationType=Y,I&f_F=adm&f_E=2,1&countryCode=it&orig=JSHP&distanc e=50&rsid=67274011402404052195&openFacets=L,C,F,E REGEXP f_E=2,1 SPLIT 2,1 DECODEURICOMPONENT 2,1 CONCAT <input type="hidden" name="f_E" value="2,1 CONCATLEFT <input type="hidden" name="f_E" value="2,1"/>
- 7. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 6/8 JOIN <fieldset class="facets"><input type="hidden" name="f_F" value="adm"/><input type="hidden" name="f_E" value="2,1"/></fieldset> 2.1.4 Manual Analysis DOMinatorPro Enterprise automation gives a complete insight of the vulnerability risk and the ease of exploitation. To prove the effectiveness of the analysis we added the following proof of concept that shows the vulnerability exploit in action. It’s also important to point out that this vulnerability can be exploited only if several requirements are met. Requirements The Dom XSS Poc will work if the following requirements are satisfied: User must be logged into Linkedin.com web portal <!--{"content": "lix_sticky_facets":"jobs" Or <!--{"content": "lix_sticky_facets":"all" Note: We estimate that 60% of users are vulnerable. Several users may have "lix_sticky_facets":"control" set so the POC would not be successful. Vulnerability POC https://www.linkedin.com/vsearch/j?locationType=Y&f_F=adm&f_E=2,1 "/><img/src%3d"err"//onerror%3d"alert(document.domain)&goback=.cj p_*1&trk=cjp_jfunc The vulnerability is an XBrowser issue due to the decodeURIComponent(f[1]) function used for decoding the parameters from the URL. Therefore this proof of concept will work on most browsers like IE, Firefox and Chrome. Browser Screenshot
- 8. DOM Based XSS: Report Edition: v1.6 Date: 05/08/2014 Not restricted Page 7/8