StartCom – DomXSS

StartCom – DomXSS

Recently I’ve got mail notification from StartCom saying, that my S/MIME certificate is about to expire. So I decided to renew it.

First of all I have to validate my mail address and afterwards I have been on page where I can type my mail address for which I want to generate new certificate.

URL: https://startssl.com/Certificates/ApplyClientCert

There was fancy error text when I type first character, which tell me, that my mail address is not valid. There were no AJAX communication so it must be done client-side. Well, what happens if I enter XSS'”>. So I tried it and text was still there. Okay and what happens if I continue with <script>alert(1)</script>? Immediately after I finish typing beginning tag <script> it disappears.  That means there must be some blacklist/whitelist in place. But what about other tags? I tried <b> tag and Voila, there was text with bold style. So if I can use other tags, I can use events to triger javascript, right? I choosed onmouseover event as PoC.

Used payload: <b onmouseover=alert(document.domain)>XSS

This is result:

StarCom DomXSS

 

When user goes with mouse over text “XSS”, script will run (it can be done without need of other interaction but it’s just PoC 😉 ):
StarCom DomXSS - PoC

As soon as they answered, I’ve discovered one more thing. I’m able to inject any class to error text 🙂

It can be done with payload: |b btn-success btn

and the result is that “b btn-success btn” is inserted as class to text “Input the wrong E-mail”.

class_inject

 

Timeline:

26/7/2016 – Initial report to StartCom
26/7/2016 – Response from StartCom team – they responded in few minutes! Thumbs up for that!
29/8/2016 – Confirmation of fixed vulnerabilities from my side
30/8/2016 – Discovery of class inject and report to StartCom team – still not fixed
28/9/2016 – Public disclosure

Comments are closed.