Stored XSS in Alibaba and Aliexpress

I found some serious vulnerability in Alibaba and Aliexpress website.

Posted  4,946 Views updated 4 years ago

1. XSS in Aliexpress

Aliexpress, Chinese website which worth billions had these vulnerabilites. I could insert javascript in their website and steal cookie from users, download malicious file, run malicious code, insert ads, redirect user to my website and many more.

How did I do it?

well the add product on seller portal user rich text editor which then converts into HTML and send it to the server. I just intercepted it and added XXS in the script. Check the video below,

NOTE: I used onmouseover to trigger the XSS but I could have used onerror with img for better effect. and no user interaction would be needed to trigger the XSS

3. XSS in Alibaba

Alibaba has message center. Where users could message each other. The message didn't have HTML filter. Which means I could send html tags. But it was limited because whole Alibaba has a filter which prevents, XSS.

I could only send tags like <b>, <i> etc 

and If I tried to send <b onclick="alert('xss')"> it wouldn't work because of the filter. So what I did was I used 'HTML decimal character reference' which bypassed the filter.

So I sent message like 

<b onclick="&#0000097l&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">Click here

this is html decimal reference for

 <b onclick="alert(document.cookie)">

And it worked...

4. Summary

I reported it to Alibaba security team and they have fixed this. But other websites migh contain such vulnerabilites. Keep exploring but don't be evil...

5. Report Timeline

2019-Nov-18: Vulnerability found and reported

2019-Nov-19: First response from team

2019-Nov-21: Report triaged $1160 bounty rewarded

2019-Dec-22: $1125 transferred to my account Via Swift Transfer

 

This is just for information and might help other white hats to know better how their report get processed.


Your reaction?

0
LOL
2
LOVED
1
PURE
1
AW
0
FUNNY
1
BAD!
0
EEW
1
OMG!
1
ANGRY