PayPal Inc Bug Bounty #117 - Filter Bypass & Remote Session Fixation Vulnerability

Editorial_Staff_Team's picture

PayPal Bug Bounty #117 - Bypass & Remote Session Fixation Vulnerability

The Vulnerability Laboratory Core Team member Hadji Samir discovered a session fixation web Vulnerability (EIBBP-31983)[P2] in the official PayPal Inc online service web-application. The vulnerability allows remote attackers to manipulate user session information to takeover the data for malicious purpose.

Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a web user without being validated for malicious characters. HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The security risk of the  session fixation web vulnerability is estimated as medium. (CVSS 4.3)

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or /r) characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. On the french paypal webpage for instance there is a vulnerability where an attacker can copy and overwrite a victims session ID and use the false ID to perform actions like session manipulation and cookie compromise.

The vulnerability can be exploited by a successful manipulated GET method request through the Paypal online service web-application. The security risk of the unencrypted session fixation issue is estimated as medium with a cvss (common vulnerability scoring system) count of 4.3. Exploitation of the vulnerability requires no privilege web-application user account with low user interaction. Successful exploitation of the vulnerability results in manipulation of user session information and information disclosure.

Proof of Concept (PoC):

The vulnerability can be exploited by attackers with restricted physical device access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

String Bypass: %0d

https://www.paypal.com/fr/cgi-bin///aao.com//%0dSet-Cookie:HaC80bwXscjqZ... Domain=.paypal.com; Path=/;Expires=Mon, 08 Jun 2020 18:53:07 GMT; HttpOnly; Secure
Note: https://www.paypal.com/fr/cgi-bin///aao.com//    rerror page so will redirect to paypalproject.com > so any error page will redirect to paypalproject

PayPal Inc - Filter Bypass & Remote Session Fixation Web Vulnerability (Bug Bounty) 2015

 

Video: https://www.youtube.com/watch?v=Uyg8xlt-8go

Vulnerability Disclosure Timeline:
2015-06-06: Researcher Notification & Coordination (Hadji Samir - Evolution Security GmbH)
2015-06-08: Vendor Notification (PayPal Inc - Security & Bug Bounty Team)
2015-07-04: Vendor Response/Feedback (PayPal Inc - Security & Bug Bounty Team)
2015-09-30: Vendor Fix/Patch (PayPal Inc - Developer Team)
2015-10-08: Security Reward (PayPal Inc - Bug Bounty Team) [3.000$]
2015-10-09: Public Disclosure (Vulnerability Laboratory)

References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1509

http://www.vulnerability-lab.com/get_content.php?id=1615

Credits & Authors: Vulnerability Laboratory [Research Team] - Hadji Samir

Rate this article: 
Average: 5 (8 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.