QRZ.com security vulnerability report

Exploit 1, staff impersonation

In this exploit, I abuse the CSS styles to change my user-page to look identical to that of a QRZ.com staff member.

Using the CSS visibility: hidden; property and :after selector, I can change my visible user type to QRZ Engineering Manager.

Then, using the :before and :after selector, I load and place the staff and verified badges next to my profile image.

 

Exploit 2, redirect to phishing, via user interaction

In this exploit, I abuse the visibility: hidden; property once again, this time hiding all user related info, and navigation items, and only displaying the contents of the bio. Then, I can place a phishing redirect link in my bio, for the user to follow.

 

Exploit 3, redirect to phishing, automatic

In this exploit, I simply add an HTML meta refresh to the contents of my bio, and automatically redirect the user to a phishing page.

 

Exploit 4, arbitrary JS execution, via user interaction

In this exploit, we go one step further. We can abuse the formaction property of a button to execute arbitrary JavaScript. From this, we redirect the user to a malicious site, along with their current cookies. We can then steal their session cookie, and gain access to the users account.

 

Exploit 5, arbitrary JS execution, automatic

This is the most pressing of all vulnerabilities.

We can abuse the srcdoc property of an iframe to automatically execute malicious JavaScript, accomplishing the same Exploit 4, without user interaction.

Rather than redirecting the user to a page, we can simply make a request to a malicious server with the contents of document.cookie, which will then log the session key. Once set up, you immediately gain full access to the account of any user who accesses your callsign page.

This access allows us to construct a JavaScript virus. We use the compromised session key to edit that users bio, adding the same malicious code. As more users visit callsign pages, this will propagate throughout the entire userbase until every active account on the website is compromised.

In addition, the xf_session cookie also allows you to log-in to accounts that have explicitly logged-out, because logging-out only removes the client-side cookie. Sessions are not destroyed server-side, so they may be resumed.

 

NEW: Exploit 6, arbitrary JS execution, automatic (logbook)

The following pages in the QRZ logbook allow basic <script> injection

  • List page XSS:
    • Reciever Info > Op
  • Detail XSS:
    • QSO Info > Info: Recieved
    • QSO Info > Info: Sent
    • Reciever Info > QTH
    • QSL Info > QSL to VE9DLL Via

Notes

  • David Gilbertson at HackerNoon has great articles (1, 2) on similar attacks.

Disclaimers

  • All vulnerabilities were disclosed using the responsible disclosure model.
  • To ensure I didn’t capture any session keys other than my own during testing, all connections that gave me access to user data were made over localhost. Additionally, connections to https://drakeluce.com/vulnerable simply displayed data back to the end user, and were not logged.

UPDATE (June 7th, 2018)

As of today, it appears all of the disclosed JavaScript vulnerabilities have been patched by the team at QRZ. This vulnerability report is now public.