Shulou(Shulou.com)05/31 Report--

This article shows you how to find the storage XSS loophole in Yahoo email APP. The content is concise and easy to understand, and it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Vulnerability situation

The object I tested was Yahoo! The Mail iOS APP app, the iOS version of Yahoo Mailbox, contains a storage XSS vulnerability in the xml file of the APP app. Attackers can use the XML feature to construct arbitrary HTML/Javascript code to embed mail, and this arbitrary code rendering can be realized when the APP user opens the mail. At the extreme end, using the entity extension attack of XML, it can form a DoS attack and cause the APP service to crash.

XML entity extension attack: XML Entity Expansion implementation, implemented by creating a definition of a custom entity in XML's DOCTYPE. For example, this definition can generate a XML structure in memory that is much larger than the original allowable size of XML, which can be used to deplete the necessary memory resources for the normal and effective operation of the network server.

Preliminary report on vulnerability Analysis

Log in to your Yahoo email from any Yahoo email login page or client, then upload a xml file of the following style as an attachment, and then send this email with the following yahoo-xss.xml attachment to your own Yahoo email or another Yahoo test email.

Prompt (_ document.location)

Use the Yahoo Mail iOS client (Yahoo! Mail iOS APP), enter your pickup test Yahoo email, check the yahoo-xss.xml attachment, open it, and see if there is a XSS response. As a result, of course there is, and it will scare you. As follows:

Note: I don't know why, but the XML rendering mechanism in the Yahoo Mail iOS app is weird and dangerous. If you receive multiple attachments containing the above yahoo-xss.xml attachments, the yahoo-xss.xml-triggered storage XSS will parse and pop out even when you open other attachments.

I hastily reported this vulnerability, and the following is a response from the Yahoo security team on HackerOne:

At this point, the next thing I need to do is to find a way to maximize the use of this loophole and see what bad security threats and effects it can cause to the Yahoo email iOS app. But I had no idea for a while, so I had to put it aside for a while.

Loophole renewal report

Then one day, I suddenly thought of a safe and harmless way to promote vulnerability exploitation, that is, I can use HTTP requests, like "GET", to try to get local APP client resources! BingGo! I tried, and it worked! I can use this method to get the entire cached data of the Yahoo Mail iOS application, including user cookie, address list, email content, and so on.

Reappearance of vulnerability exploitation

First, log in to your Yahoo email account in any Yahoo email page or client, upload a XML file containing the following code, and then send it as an attachment to your other test Yahoo email (victim email).

Open the received XML attachment in your Yahoo test mailbox. Based on the "weird" XML parsing reason I mentioned above, you can imagine a situation: when an attacker sends you a PPT document, but the above XML file that can trigger XSS is also attached to the attachment, then when you open the received PPT document, the XML file will also trigger the XSS response. In other words, no matter how many attachments you have (including video attachments), as long as you include the above XML attachment, if you open any other attachment, it will strangely trigger a XSS vulnerability in the XML file.

Using this vulnerability to construct a key.xml, I can get the address book information in the victim's mailbox, including the sender, recipient, and contact. In the XML attachment code, the XSS leak will first display the browser version information of the client, then locate the file location, and then get the mailing list information (looking at the Internet speed here, it will take about 30 seconds). Then, after clicking on key.xml 's OK, the mailing list information is sent back to the attacker through GET, as shown in the following figure. I did the test in the internal LAN, and my Server receiver turned on port 8090 listening with nc-lvvv 8090:

Using this vulnerability to construct a cachedbpost.xml, I can get the victim's Cookie information. After clicking on cachedbpost.xml 's OK, the entire Cache.db file is sent back to the attacker through POST, as shown in the following figure. In the test I did in the internal LAN, my Server receiver turned on port 8090 listening with the nnc-lvvv 8090 > yahoo.db command, and stored the Cache.dbd as yahoo.db:

After receiving the complete Cache.db file, we filter the header contents in it and retrieve the complete victim cookie information with the following command:

Strings yahoo.db | grep-I Cookie-A 10-B 5

In addition, you can enumerate by http server to form a request cookie for a specific Web site:

Strings yahoo.db | grep-I https

Yahoo security staff received the vulnerability and quickly classified, fixed and disposed of it.

Vulnerability impact

Any attacker can exploit this vulnerability to construct a specific XML file to send to any user, thereby obtaining sensitive information in the victim's user's mailbox, including sender, receiver, Cookie and contacts.

My test environment:

IPhone 6-iOS v11.2.5.

Affected iOS client version:

Yahoo! Mail app v4.XX.X (XXXXX)

The above content is how to find the storage XSS loophole in Yahoo email APP. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.