Skip to content

Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which contains a link to the host’s web application API with a JSONP callback parameter which the attacker can then control.

An example of this would be as follows:

The above URL could be an example of a method for a third-party to obtain user accounts associated with the user ID 1 and would return something similar to the following:
logResults({"username": "admin", "email_address":""});

However, using the SOME attack it is possible to change the callback function to be anything that Javascript or the API recognises. An example of which could be the following:'');//

Which would return something similar to the following:'');//({"username": "admin", "email_address":""});

Using this example the above URL would open a window from the user’s browser and direct them to (and prevent the rest of the response from being parsed) which could infect the user’s browser with a persistent XSS malware such as BeEF or similar.

A lot of web applications contain the Same Origin Policy headers which attempts to prevent attackers from loading pages or resources from external entities. However this attack bypasses this in two ways. The first way is that JSONP or JSON with Padding is expected to be used externally as that is what it was designed to be used for and the second way is that all calls to the resource is loaded from the same origin which means that the request never gets picked up from the Same Origin Policy.

Whilst performing some testing with this vulnerability, I found that it was also possible to abuse this vulnerability remotely by bypassing the Same Origin Policy using a few tricks such as loading the affected URL directly from an <img src=""> tag or a <script> tag which do not get prevented from the Same Origin Policy. This allows an attacker to perform virtually unlimited amount of actions on the application under the context of the unsuspecting victim user. These actions could range from stealing personal images, releasing data, stealing cookies or just performing malicious acts such as infecting the user with BeEF.

During this research I found that most of the major websites, including Microsoft, Facebook, Google, etc are all vulnerable to this type of attack. The one thing they all have in common is open-source Javascript frameworks from jQuery, PrototypeJS, AngularJS and more. These Javascript frameworks appear to allow for the SOME vulnerability to be present without any way of removing the functionality (easily).

SOME Example

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client on every computer I was on (as it’s a web service).

After trying the Beta which was a free option before they publicly released the paid version, I thought I’d try and find some vulnerabilities to report to them – for no other reason than to ensure that the service that I am using can’t be exploited to disclose any of my information or data.

The first issue I identified was that the application has a pastebin feature for when the user pastes a large amount of text, they get the option for uploading to their own proprietary pastebin service.

IRCCloud Pastebin

However, after performing some testing to execute javascript within the resulting pastebin link, it was found that it was possible to insert a new line (\n) and then a Cross Site Scripting payload, which got executed to full pre-authenticated Persistent Cross Site Scripting.

Read the full report on HackerOne.

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to:

{“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”}

I thought, alright, what if I can send a message to multiple channels, so I changed the “to” parameter to be an array: “to”:[“#treehouse”, “#darkscience”] – Then all of a sudden my account gets disabled. So I booted up irssi and jumped on to the support channel to speak to the security engineers there. RJ (the one I spoke to) confirmed that the request put my account into an infinite loop attempting to send to a string-type channel but an array was given. This started filling up the internal queues and started increasing the RAM usage. He then fixed the issue with some difficulty. So as a report I submitted it to HackerOne just so they had a track of it.

With some further discussion with RJ and James (Another IRCCloud security engineer), it would have been possible to create multiple “test accounts” which would have been propagated over the other servers, performed the attack across the test accounts, which in turn may have brought down the servers due to lack of Disk Space or resources available.

IRCCloud were brilliant in dealing with the report, and the timely responses that were received by James, even when it was out of working hours, was by far the best that I had ever seen. *tilts hat to James*

Here is the full report issued to IRCCloud on HackerOne.

Most businesses do not understand data breach risks


Research by HP has uncovered a lack of understanding among businesses of the risks associated with data breaches. More than 70% of US and UK executives surveyed by the Ponemon Institute said that their organisation does not understand fully the dangers of breaches, while less than half of top executives and board members are kept informed about the response process.

The 2014 Executive Breach Preparedness Research Report was designed to highlight the importance of senior executive involvement in the response to data breaches.  While 79% of the nearly 500 senior executives polled agreed that executive-level involvement in the response process was necessary to a successful resolution, only 45% said that they were accountable for the process. The research also found that most executives are more concerned about threats from within their business than external attacks.

As we discussed last week, the financial cost of data breaches can be huge, not to mention the missed revenues due to reputational damage. This is why direction and leadership is needed from those at the top. Executives need to be aware of and actively involved in the data breach response process, and there needs to be a clear plan in place to prevent security incidents from escalating to a complete disaster for the company.

The Ponemon Institute noted that senior executives and board members may have been complacent about the effects of cyber-attacks and data breaches in the past, but are now gradually realising the damaging costs of such incidents. This is welcome news and we hope that senior executives will continue to take a more active role in their response to data breaches, educating themselves and their staff about the risks and start investing in the best security technology available.

Research Reveals Cost of Online Fraud to UK


This week has been Get Safe Online Week and to coincide with the event, the National Fraud Intelligence Bureau researched cyber-crime in the UK. The research found that over the last year, the ten biggest online scams cost victims over £670m – although the actual figure is thought to be significantly higher than that due to unreported crimes.

A separate poll found that while over half of Britons have been a victim of either online fraud, ID theft, hacking or online abuse, only a third of them reported the crime. One of the reasons for this is that many people did not know how to report the crime.  It is hoped that this will be improved by the development of Action Fraud, the UK’s national fraud reporting centre, and the increasing resources that the Government is dedicating to cyber-crime.

The research also suggests that cyber-crime is increasingly being taken more seriously by the British public. Around 53% said they now see it as a serious “physical world” crime and 42% stated that they are now more vigilant when shopping online. Despite this change in attitude, many people are still failing to take basic security measures with 67% of tablet owners and 54% of mobile phone owners in the survey not having a password or PIN to secure their device.

It’s good to see that initiatives like Get Safe Online Week and Action Fraud are raising awareness of online crimes and what people can do to prevent it. However, this research is a stark reminder of the dangers that we all face online. Online fraud continues to increase as crime overall falls, with criminals constantly developing new ways of targeting victims online.

At Pentura we believe that education is the key in the fight against cyber-crime. Our LearnwithPentura e-learning portal provides users with advice on security and best practice, with eight online modules ranging from email to removable media. Complacency is not an option, and businesses and authorities must continue to raise awareness of the dangers of online crime and educate users in cyber security.

Kmart hit by card hack attack


It’s been revealed that a data breach at US retail chain Kmart that compromised card details lasted over a month. The discount department store said that the malware was discovered last week but had been operating since early September. Based on its investigation so far, the company said that it believes credit and debit cards were exposed but that no personal information, PIN numbers, email addresses or social security numbers were accessed.

The incident is the latest in a string of cyber-attacks on American retailers. Last week, restaurant chain Dairy Queen revealed that hackers had stolen names, card numbers and expiration dates of around 600,000 cards across 395 of its restaurants. There have also been huge recent attacks on Home Depot, in which 56 million cards were affected, and on Target, when 40 million cards were compromised in the run-up to Christmas 213.

It’s not thought that the breached information is being used to create counterfeit cards or encumber customers with bills for items that they haven’t bought. Nevertheless, the attack is a reminder and a warning to retailers that the sheer size of their computer networks makes them an attractive target to hackers. By improving detection times, large chains will reduce the damage caused by such breaches and better protect both their customers and their reputation.

AT&T suffers insider data breach


AT&T has become the latest multinational company to suffer a data breach after one of its own employees gained access to customer data. The US mobile telecoms giant has started informing around 1,600 customers in Vermont that their personal data was breached in August.

In a letter posted on the Vermont government’s website, AT&T confirmed that a former employee had broken the company’s privacy policy and obtained customer data, including unique customer numbers, social security numbers and driver’s license numbers. AT&T has not said why the employee stole the information or whether he used it for malicious purposes, but it is nevertheless a serious breach and the federal authorities have been informed.

Although this is a smaller incident in comparison to recent cyber-attacks on JPMorgan Chase and iCloud, it is a reminder to IT managers about the dangers of insider data breaches. Whether intentional or not, internal breaches can be equally as damaging as external attacks and IT departments ignore this at their peril. Ensuring that your internal policies and controls are watertight and that employees are educated in data security is just as important as protecting your network from outside cyber-attacks.


Get every new post delivered to your Inbox.

Join 166 other followers