Welcome to duststar theory

Cross-Site Scripting (XSS) Vulnerability on Playpark.net

Author duststar | 04.01.2010 | Category Cyber Security, MapleSEA

This vulnerability was reported 6 months ago to Asiasoft via then Q-Box. Few months down the road they “removed” the vulnerable splash page, or they did not? Currently, the vulnerable page is still accessible.

Background

When I enter http://www.maplesea.com, I was directed to the event splash page:
http://freestyle.playpark.net/eventSplash/index.aspx?return=http://maple.asiasoftsea.net/en/
After 10 seconds, I was automatically redirected to http://maple.asiasoftsea.net/en/.

XSS Vulnerability

The ‘return’ variable in the event splash page’s URL is vulnerable to XSS attack.
For example, we can replace the return value ‘http://maple.asiasoftsea.net/en/‘ to ‘http://www.google.com.sg’.

http://freestyle.playpark.net/eventSplash/index.aspx?return=http://www.google.com.sg

After 10 seconds, we will be automatically redirected to Google’s website.

A malicious hacker may manipulate the variable to his own phishing or malicious site (imagine a replica of asiasoft’s passport login page) and send out the modified full URL to his targeted victims in the form of phishing e-mail or through Instant Messagging.
The victims thinking that a web link originating from playpark.net domain should be safe may possibly click on the link, and get redirected to the hacker’s phishing, malicious site.

Solution

The ‘return’ variable should be validated at server-side script (e.g. ASPX) and restricted to a list of pre-defined URLs.
As a best practice, ALL variables (inputs) should be validated.

.duststar