Hey Guys,

Today I’m going to share one of my interesting Stored XSS vulnerability found on PayPal Site using XML file upload.

PayPal allows the users to create an invoice and send to the other users. Also allow attaching the file into invoice. So I started trying to upload file with different types of extensions and found that PayPal allows users to upload XML formatted file.

So the next steps I tried for XXE vulnerability but no luck which makes me happy. After couple of test cases I applied, but not found any interesting things to make this vulnerable.

I noticed that if we upload XML file with script tag, which is working perfectly.

<?xml version="1.0" encoding="UTF-8"?>
<Query>
   <SearchTerm>
      <script xmlns="
http://www.w3.org/1999/xhtml">
          alert(document.cookie);
      </script>
   </SearchTerm>
</Query>


Now next steps to exploit!

The exploitation of the bug is very easy. In order to does this attack, create an invoice with xml file and send to victim. When victim open the attached xml file, the script run into his/her browser.





I reported to PayPal security team and the bug was valid. After the fix PayPal team rewarded me with Bounty under PayPal BugBounty program.


Thanks.


2 comments

  1. An XML schema definition language is known as a method for constructing schemas. A schema is usually a file needed for defining the structure, content and even semantics of one's XML document. You Can see more in : xml file

    ReplyDelete
  2. When you are making an Extensible Markup Language or XML file, there are a variety of things that you will need to do
    in order to assure yourself that you are generating and developing a functional file.
    You Can see more in : xml file

    ReplyDelete

Powered by Blogger.