ebankIT 6 Cross Site Scripting – Torchsec
[Description]
An issue was discovered in ebankIT before version 7.
Document Object Model based XSS exists within the
/Security/Transactions/Transactions.aspx
endpoint. Users can supply their own JavaScript within the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter that will be passed to an eval() function and executed
upon pressing the continue button.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
ebankIT
------------------------------------------
[Affected Product Code Base]
ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7
------------------------------------------
[Affected Component]
The endpoint existing at: /Security/Transactions/Transactions.aspx
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
I discovered a Document Object Model-based Cross-Site Scripting issue
within the ebankIT platform. While manually inspecting the client-side
JavaScript code I came across the variable JSONText. This variable
was using the eval function to parse data passed to it through the
accobj variable. Knowing the eval function evaluates text as
JavaScript, I proceeded to locate exactly what data was passed to this
variable. I found that the data could be supplied by a user during a
Transfer request (on /Security/Transactions/Transactions.aspx), when
selecting which account to transfer from. To execute this XSS, I
intercepted our test user s Transfer request, supplied my own custom
JavaScript alert(4) in the
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray
POST parameter, and pressed the continue button which resulted in
the payload successfully executing.
------------------------------------------
[Discoverer]
Jake Murphy
Gloss