Monday, 22 February 2016

Cross Site Scripting (xss) in Mozilla Addon site


Hi,
I am Paresh Parmar
This is my first writeUp.

So lets start.
It was 2016-02-09 , i was reading blog of Ashar javed. https://respectxss.blogspot.de/2016/01/persistent-xss-in-mozilla-add-ons-site.html

After reading that blog, i set my target to mozilla addons https://addons.mozilla.org/en-US/firefox/
it was mobile and xss days for me ;)
so i was hunting only mobile sites.
I am using this user-agent string
Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0.


So let's Go
After setting up target, i choosed review section endpoint for hunting.

For example: https://addons.mozilla.org/en-US/seamonkey/addon/mailbox-alert/reviews/
here you can write review about particular Addon!

so I gave 5 star to that addon :p and in review i wrote

"
<img src=x onerror=alert(document.domain)>
"
And submitted review and bOom!!! XSS Executed.

.
Within two minutes, i found this simple Xss .
i reported this issue to https://bugzilla.mozilla.org/
After reporting this issue i started Digging into this

as far as i know, we can bypass CSRF protection of that page via Xss .
There's three step to Bypass csrf Token using Xss:


1. First request the form
2. Extract the valid csrf token
3. and submit the form using the valid csrf token
here's super Example about XMLHttpREQUEST https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
Reference : https://rileykidd.com/2013/09/09/using-xss-to-csrf/


After Only 12 Hours, they confirmed this issue. and in just 2 days they fixed this Issue
here's commit https://github.com/mozilla/addons-server/commit/455132c9a104c6907e5208054d0e2187d5d90ca8



For regarding bounty i sent email to security@mozilla.org along with bugzilla report id and Another Poc ;)
After Few Days, i got this mail





here's Video PoC:

TimeLine:
2016-02-09 13:35:54 PST - Report Sent

2016-02-10 07:10:17 PST - Confirmed

2016-02-11 08:53:31 PST - Fixed

2016-02-20 - Bounty Awarded 3000$


Special Thanks to Mozilla BugBounty/Bugzilla team.